US Government Issues Guidelines on Software Security Assurance Standards

US Government Provides Guidance on Software Security Guarantee Requirements

The US Office of Management and Budget (OMB) has issued new guidance on software security guarantee requirements for federal agencies. The existing memorandum issued by OMB last year required federal agencies to receive guarantees from software suppliers that their software is secure. The new memorandum extends the timeline for agencies to receive attestations. Per M-23-16, attestation for critical software should be obtained no later than three months after the Cybersecurity and Infrastructure Security Agency’s (CISA) M-22-18 attestation common form is approved. Attestation for all other software should be obtained within six months after the common form is approved by OMB.

Software Security Guarantee Requirements

The memorandum extends the requirement to obtain a guarantee even for software deployed, configured, or modified by a contractor on behalf of the agency. The entities should establish communication channels with the software vendors, inventory all the software that falls under these requirements, and obtain the necessary attestation. The minimum level of guarantee includes the submission of a self-attestation form by the vendors. However, agencies can ask for a software bill of materials (SBOM) and other artifacts and request the vendor to run a vulnerability disclosure program.

Risk Assessment

The new memorandum makes it clear that federal agencies should assess the risk of using proprietary but freely obtained and publicly available software, such as web browsers. Agencies don’t need to receive attestation for third-party software components. Additionally, if a vendor provides documentation on the practices to which they cannot attest but cannot provide attestation for their software, agencies should inform OMB and request an extension of the deadline for attestation, but they can continue to use the software.

Advice for Software Vendors

The guidance by OMB provides software vendors with a clear direction for meeting the software security guarantee requirements of federal agencies. Vendors can prepare by obtaining third-party certifications that include software guarantees, running vulnerability scanning programs, providing SBOMs, and continuously monitoring for potential vulnerabilities. Fulfilling these requirements will give vendors a competitive advantage and boost the confidence of federal agencies in their software products.

Editorial

The guidance issued by the OMB should be welcomed by the cybersecurity industry, particularly vendors, and developers. The need for secure software is now more critical than ever, given the increasing number of cyber threats facing federal agencies. The guidance also highlights the importance of conducting the necessary due diligence when selecting software vendors. By prioritizing software security guarantees, federal agencies can significantly reduce the likelihood of cyber-attacks.

Philosophical Discussion

The guidelines issued by the US Government signal a growing understanding in the public sector of the importance of software security guarantees. Security guarantees are a critical aspect that differentiates the quality of software products in the market. These guidelines promote trust between agencies and vendors and result in better cybersecurity outcomes. In the era of digitally driven initiatives and advancements in e-governance, software security needs to be a top priority.

Conclusion

The US Government’s guidance on software security guarantee requirements is a significant step towards improving the security of software products used by federal agencies. The guidelines are part of a broader effort to address cybersecurity challenges facing the public and private sectors. It is advisable for vendors and developers to keep their products up-to-date by providing timely security patches and following the existing guidelines, which will result in effective cyber risk mitigation.