New OMB Guidance to Software Producers

    OMB Guidance to Software

    New OMB Guidance to Software Producers

    On September 14, 2022, OMB released memorandum M-22-18, detailing requirements for federal agencies procuring software from producers. The memorandum highlights how all producers of software selling to federal agencies will be required to attest that they are following the secure development practices highlighted in NIST SP 800-218 and the NIST Secure Software Development Framework (SSDF). The timeline for this requirement is 365 days for most software and 270 days for software identified as critical by an agency.

    Under the current guidance self attestations are allowed, but this will likely change in the future and require FedRAMP certified third-party assessment organizations (3PAO) to perform the attestation. If an organization cannot complete the attestation, they must document their gaps and a remediation plan in a Plan Of Actions and Milestones (POA&M). The receiving agency may then perform a risk assessment to determine whether the current deficiencies and remediation plan aligns with their risk appetite.

    SCYTHE’s own Jim Webster put together this handy graphic displaying the timeline of responsibilities for federal agencies and CISA. 

    Timelines and responsibilities

    Figure 1: Timelines and responsibilities

    SP 800-218 offers examples where validating security controls can be important, including PO 3.2, “continuously monitor tools and tool logs for potential operational and security issues, including policy violations and anomalous behavior.” Organizations will want to emulate a threat actor in the build environment to determine if their logging and monitoring controls would detect their presence. PO 5.1 (“Separate and protect each environment involved in software development”) and PO 5.2 (“Secure and harden development endpoints to perform development-related tasks using a risk-based approach”) offer additional security control guidance that should be verified using tooling such as an adversary emulation platform.

    NIST

    Figure 2: NIST 800-218, PO 5.2 

    If you are not confident that the security controls in your development environment (or any environment for that matter) are functioning optimally, reach out to SCYTHE to schedule a demo of our platform. If you prefer to have SCYTHE assist with your control validation or Purple Team assessments, SCYTHE offers professional services for organizations of any size or budget. SCYTHE wants to help organizations maximize the value of their security controls. After all, you want to know where you stand.

    References: 

    OMB Memo 22-18: https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf

    NIST SP 800-218: https://csrc.nist.gov/publications/detail/sp/800-218/final

    NIST Secure Software Development Framework (SSDF): https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-supply-chain-security-guidance

    Latest Posts

    TSA SD-02C: Critical Infrastructure Cyber Regulations
    TSA SD-02C: Critical Infrastructure Cyber Regulations
    April 22,2024
    SCYTHE: Connecting the Red and Blue Transforming Controls Validation with Smart Tagging
    SCYTHE: Connecting the Red and Blue Transforming Controls Validation with Smart Tagging
    April 17,2024
    Transforming Proactive Cybersecurity with SCYTHE's AI Assistant: Cl0ppy
    Transforming Proactive Cybersecurity with SCYTHE's AI Assistant: Cl0ppy
    March 20,2024
    Achieving Annual PenTest Compliance via Purple Teaming
    Achieving Annual PenTest Compliance via Purple Teaming
    March 18,2024
    Ransomware Defense: Adversarial Emulation for Hospitals and Healthcare
    Ransomware Defense: Adversarial Emulation for Hospitals and Healthcare
    March 11,2024

    Related Articles