Going Hard on Software: OMB Unveils Mandatory Software Supply Chain Security Compliance Requirements
Client Alert | 2 min read | 09.15.22
Yesterday, the Office of Management and Budget (OMB) released Memorandum M-22-18, implementing software supply chain security requirements that will have a significant impact on software companies and vendors in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity. The Memorandum requires all federal agencies and their software suppliers to comply with the NIST Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance whenever third-party software is used on government information systems or otherwise affects government information. The term “software” includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software. It is critical to note that these requirements will apply whenever there is a major version update or new software that the government will be using.
The Memorandum requires agencies to take the following actions:
- within 90 days, agencies must inventory all software subject to the Memorandum;
- within 120 days, agencies will have developed a process to communicate requirements to vendors and ensure that vendor attestation letters can be collected in a central agency system;
- within 180 days, agencies must assess training needs and develop plans for the review and validation of attestation documents;
- within 270 days for critical software and within 365 days for all others, agencies will require self-attestations from all software producers; and
- as needed, obtain from software producers a Software Bill of Materials (SBOM)or other artifact(s) that demonstrate conformance to secure software development practices.
To comply with the Memorandum, software producers must attest that they adhere to the NIST software supply chain frameworks and guidance. In lieu of a self-attestation, software producers may also submit third-party assessments of compliance with the software security standards conducted by a certified FedRAMP assessor or an assessor approved by the agency.
Software producers or vendors providing software to the federal government should begin reviewing their security practices and their overall software development lifecycle immediately to ensure that they can attest to compliance with the applicable NIST standards in the very near future.
Contacts
Senior Counsel
She/Her/Hers
Insights
Client Alert | 5 min read | 06.11.25
Steel Tariffs Doubled: How the Hike Could Reshape Construction Projects at Home and Abroad
To date the Trump Administration has issued multiple proclamations imposing varying rates of import duties on steel and aluminum and certain derivatives, including construction materials. These measures have added volatility and financial pressures to the construction sector both in the United States and abroad. Most recently, on June 3, 2025, President Donald Trump issued a proclamation under Section 232 of the Trade Expansion Act of 1962, doubling tariffs on imported steel and aluminum from 25% to 50%, effective June 4, 2025. This action aims to counteract the continued influx of lower-priced, excess steel and aluminum imports that, according to the administration, threaten U.S. national security by undermining domestic production capacity. The proclamation notes that while prior tariffs provided some price support, they were insufficient to achieve the necessary capacity utilization rates for sustained industry health and defense readiness. The United Kingdom remains temporarily exempt at the 25% rate until July 9, per the U.S.-U.K. Economic Prosperity Deal.
Client Alert | 5 min read | 06.11.25
The FCPA Pause Is Over: Trump DOJ Issues Long-Awaited FCPA Investigations and Enforcement Guidelines
Client Alert | 4 min read | 06.10.25
Trump Administration Cyber Executive Order Revises Prior Administrations’ Requirements
Client Alert | 19 min read | 06.09.25
