News

White House Calls for 'Attestations' of Secure Practices from Third-Party Software Providers

• By John K. Waters
• September 15, 2022

The White House this week published a set of software security guidelines that will require federal government agencies to obtain "self-attestations" from the third-party software providers that they are following secure software development practices in accordance with government recommendations.

The guidelines are meant to "…ensure that millions of lines of code that underpin Federal agencies’ work are built with industry security standards in place," said Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, in a blog post.

The new guidance from the Office of Management and Budget, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” emerges President Joe Biden's executive order on improving the nation's cybersecurity, issued May 2021, which was which was in response to the SolarWinds disaster and other high-profile software supply chain meddling.

A self-attestation is a documented statement that developers must provide to demonstrate their compliance with the Secure Software Development Framework (SSDF) from the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce. The NIST Cybersecurity Framework is a set of software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode.

"Few software development life cycle (SDLC) models explicitly address software security in detail," the NIST webpage reads, "so practices like those in the SSDF need to be added to and integrated with each SDLC implementation."

The White House has ordered its own agencies to begin adopting the NIST standard last March.

"Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised," DeRusha said in his post. "With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries."

Specifically, the guidelines, which were developed with input from the public and private sectors, as well as academia, direct agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and provides the federal government with a tool for quickly identifying security gaps when new vulnerabilities are discovered, DeRusha said.