This is the twenty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2023.
CISA Requests Comment on Secure Software Self-Attestation Common Form
On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released a 60-day Request for Comment on a draft secure software self-attestation common form. Comments will be accepted through June 26, 2023 and may be submitted through Regulations.gov. The draft common form, developed in close consultation with the U.S. Office of Management and Budget (“OMB”), is a key step in implementation of OMB Memorandum M-22-18, which was issued pursuant to Section 4 of the Cyber EO and directs agencies to only use software that complies with Government-specified secure software development practices (the “OMB Memorandum”). Specifically, and among other requirements, the OMB Memorandum directs that software providers self-attest that the software developer follows the secure development processes described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance. The key provisions of the OMB Memorandum are discussed in more detail in our prior blog.
Scope. The OMB Memorandum applies to all software (other than agency-developed software) developed or experiencing major version changes to be operated “on the agency’s information systems or otherwise affecting the agency’s information.” CISA’s draft common form further specifies that the “following software requires self-attestation:
- Software developed after September 14, 2022;
- Existing software that is modified by major version changes […] after September 14, 2022; and
- Software to which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).”
The third category – software to which the producer delivers continuous changes to the software code – is an expansion of the scope of the OMB Memorandum. In contrast, the draft common form exempts the following software products and components from self-attestation:
- Software developed by Federal agencies; and
- Software that is “freely obtained (e.g.[,] freeware, open source) directly by a federal agency.”
Notably, the definition of “software” in the OMB Memorandum is expansive and expressly includes (in addition to conventional software) “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”
Attestation. CISA’s draft common form “identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before their software subject to the requirements of M-22-18 may be used by Federal agencies.” The draft common form is intended to be supplemented by agency-specific requirements, which may be attached as an addendum. For example, the OMB Memorandum provides that agencies may require a Software Bill of Materials (“SBOM”), documentation from a third-party assessor, or other artifacts. However, CISA’s public notice of the draft common form asserts that “any agency specific attestation requirements, modification and/or supplementation of these common forms will require clearance by OMB/OIRA under the [Paperwork Reduction Act] process and are not covered by this notice.”
Furthermore, the draft common form specifies that the common form “must be signed by the Chief Executive Officer of the software producer or their designee, who must be an employee of the software producer.” And “[b]y signing, that individual” (the CEO or their designee) “attests that the software in question was developed in conformity with the secure software practices delineated within the form.”
Timing of Implementation. The OMB Memorandum, published on September 14, 2022, established a fairly rapid pace for implementation and required agencies to begin collecting self-attestation letters from “critical software” providers by June 11, 2023 (i.e., within 270 days of publication of the OMB Memorandum) and from all software providers by September 14, 2023 (i.e., within 365 days of publication of the OMB Memorandum). However, it has been reported that OMB has extended the deadline for agencies to collect self-attestation letters. Agencies are now required to collect self-attestation letters from “critical software” providers three months after finalization of the common form. Similarly, agencies are now required to collect self-attestation letters from all software providers six months from finalization of the common form.
CISA Publishes International Guidance on Implementing Security-by-Design and Security-by-Default Principles for Software Manufacturers and Customers
On April 13, 2023, CISA released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers. This guidance was jointly developed by CISA, the U.S. Federal Bureau of Investigation, the U.S. National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand. The guidance is intended as “a roadmap for technology manufacturers to ensure security of their products” and builds on the release of the U.S. National Cybersecurity Strategy. The guidance is in line with the U.S. Government’s efforts to promote secure software development (including the self-attestations discussed above) and to encourage a consistent, international approach to software security that emphasizes the responsibilities of software manufacturers across various jurisdictions. While the guidance primarily focuses on recommendations for technology manufacturers, it also includes recommendations for enterprise customers to “hold their supplying technology manufacturers accountable for the security outcomes of their products.”
Overall, the guidance establishes three “core principles” to guide software manufacturers in building software security into their design processes:
- The burden of security should not fall solely on the customer;
- Manufacturers should embrace “radical” transparency and accountability; and
- Manufacturers should build organizational structure and leadership to achieve these goals, including executive-level commitment to implement changes.
The guidance further outlines recommendations for implementing secure-by-design and secure-by-default principles, which are further described in our post on Covington’s Inside Privacy blog.
CISA Releases Two SBOM Documents
On April 21, 2023, CISA released two community-drafted documents around SBOMs:
- Types of SBOM Documents – Given the different ways that SBOM data can be collected, this document “summarizes some common types of SBOMs that tools may create today, along with the data typically presented for each type of SBOM.”
- Minimum Requirements for Vulnerability Exploitability eXchange (“VEX”) – A VEX “indicates the status of a software product or component with respect to a vulnerability.” This document specifies the minimum elements to create a VEX document in order to “allow interoperability between different implementations and data formats of VEX.”
CISA’s latest SBOM publications continue to advance the prior work of the U.S. National Telecommunications and Information Administration (“NTIA”), which was tasked with publishing minimum elements for an SBOM under Section 4 of the Cyber EO.