Softening the Blow: OMB Extends Software Supply Chain Security Deadline and Clarifies Scope

On June 9, 2023, the Office of Management and Budget (OMB) released M-23-16, Update to Memorandum M-22-18, which alters key deadlines and clarifies how agencies and software developers can comply with M-22-18.  The original memorandum, published in September 2022, required all federal agencies and their software developers to comply with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance (collectively, NIST Guidance) whenever third-party software is used on government information systems or otherwise affects government information.

Attestation Due Date Extended

The update extends the deadlines by which agencies must collect attestation letters from software developers certifying their compliance with the NIST Guidance.  The previous deadlines were June 12, 2023 for critical software and September 14, 2023 for all other software.  Now, the attestation letter due date hinges on the publication of a common attestation form, which could be finalized with little warning.  Agencies must collect attestation forms for critical software (as defined in OMB Memorandum M-21-30) three months after the common form is approved by OMB and must collect attestation forms for all other software within six months.

Clarifications to the Scope of M-22-18

The update clarifies that attestation forms are not required for proprietary software that is free and publicly available.  OMB explained that such software is given to the public for free and there is no opportunity for the government to negotiate with the developer, making it infeasible for agencies to obtain attestations.  However, free demonstrations or pilots of proprietary software products that are otherwise available for purchase will still require attestations.  OMB also noted that open source software obtained by the government is beyond the scope of the NIST Guidance.

OMB also narrowed the scope of attestations required by software components.  The M-23-16 update explains that agencies will not have to collect attestations from third-party software components that are incorporated into software end products.

Additionally, the update gives agency chief information officers (CIOs) the authority to designate software developed by federal contractors as “agency-developed.”  To do so, the CIO must determine if the agency’s specifications and supervision of the contractor were sufficient to ensure that the contractor used secure software development practices throughout the entire software development lifecycle.  This designation is important because “agency-developed” software does not require an attestation.

POAMs Procedure and Guidance

Finally, the update provides guidance on the use of Plans of Action and Milestones (POAM) when a software developer cannot attest to compliance with the NIST Guidance.  The update requires the software developer to specifically identify the practices to which they cannot attest, document the practices they have in place to mitigate risks, and submit a POAM to the agency.  The agency must then find the POAM satisfactory and concurrently seek an extension of the deadline for attestation from OMB.  If the agency does not find the POAM satisfactory or fails to seek an extension, then it must discontinue use of the software.

Next Steps for Government Software Developers

Despite the extended attestation deadlines, companies providing software or products containing software to the federal government should continue to work diligently towards compliance with the NIST Guidance.  The final common attestation form could be published with little warning, triggering a three- or six-month deadline for compliance, depending on whether critical software is implicated.