This is the twenty-sixth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through May 2023.  This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during June 2023.

NIST Hosts Workshop on Common Attestation Form

On June 1, 2023, NIST hosted a workshop on OMB M-22-18 Minimum Requirements for secure software self-attestations pursuant to Section 4 of the Cyber EO.  The workshop included two panels with speakers from OMB and CISA.

During the workshop, OMB announced that the deadline for self-attestations had been extended and this was confirmed in a June 9, 2023 follow up OMB Memorandum (see below).  OMB representatives also noted that they anticipate the Common Form will be finalized this Fall or Winter. 

Additionally, OMB representatives acknowledged that some agencies had already issued their own self-attestation forms and guidance earlier this year (e.g., NASA and GSA), but stated that they expect that these agencies may make some changes to the attestation process based on OMB’s updated timeline.  OMB representatives reiterated that although agencies are free to supplement the common form issued by CISA with additional requirements, they understood that most agencies did not intend to differ much from the common form.  If an agency chooses to forgo the common form and create its own form entirely, OMB representatives explained that the agency would need to follow the full Paperwork Reduction Act process. 

OMB representatives confirmed that they are working on creating a central repository for self-attestation forms.  Contractors would be able to upload their attestations to the central repository, and agencies would be able to access the repository.  They noted that one goal of the repository is to avoid duplicative asks of contractors.  This repository is still a work in progress, and until it is complete, agencies will need to collect self-attestation forms from contractors directly.

OMB representatives confirmed that contractors will be able to use a POA&M if they are unable to attest to implementing all of the requirements identified in the self-attestation form.  Contractors will not be allowed to do a partial self-attestation.  OMB representatives stated that it was unlikely that a template POA&M would be created due to the unique nature of software products.

When asked about the definition of critical software, OMB representatives responded that they understood that most agencies would be using the NIST definition of critical software.  They acknowledged that some vendors may not know that they had been identified as critical.  They encouraged vendors to reach out to agencies to discuss but did not provide more guidance. 

When asked whether OMB anticipated any guidance or memorandum that would standardize the SBOM process, the OMB representatives responded that they were considering such an approach, but more time was needed.  They reiterated that SBOMs are not part of the minimum requirements at this time, but SBOMs could be incorporated as a minimum requirement in the future.

Finally, the OMB representatives stated that they thought it would make practical sense for companies to self-attest for the entire company if possible, instead of on a product by product basis.

OMB Issues M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices”

On June 9, 2023, OMB published M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (“June 2023 Update”).  M-22-18, published in September 2022, mandates that to use software, agencies must first obtain a self-attestation from software providers that the software developer follows the secure development processes described by NIST Secure Software Development Framework (“NIST SP 800-218”) and the NIST Software Supply Chain Security Guidance.  CISA released a draft self-attestation form in late April that largely tracks the NIST standards, but the form has not yet been finalized.  The June 2023 Update provides several significant updates and clarifications to the self-attestation process. 

First, the timeline by which agencies must collect attestations or POA&Ms is extended, as the final form for attestation is not yet available.  The new deadlines for agencies to collect attestations are three months after CISA and OMB finalize the common form for critical software and six months after for all other software.

The June 2023 Update provides that agencies will only need to collect the attestations from the prime contractor, though this puts the burden on prime contractors to ensure they can provide the attestation with respect to the entire software end product, including with respect to the integration of components that may be developed by subcontractors or other third parties.

Moreover, the June 2023 Update states that agencies are not required to collect an attestation for open source software, including software that is proprietary but feely obtained and publicly available.  Additionally, agencies are not required to collect an attestation for agency-developed software, which is software that the contracting agency has sufficient control over that the agency itself is able to ensure the secure software development practices are followed throughout the entire software development lifecycle.  The memorandum further clarifies that agency CIOs are required to make the determination of whether a software can be considered agency-developed.

Where a contractor submits a POA&M instead of an attestation of current compliance, the June 2023 Update noted that the contractor must identify the specific practices to which it cannot attest and document the practices it has in place to mitigate associated risks.  The agency may continue to use the software if it finds the POA&M satisfactory, but must also provide the POA&M to OMB and seek OMB’s approval for an extension of the attestation requirement.

CISA Hosts an SBOM-a-rama

On June 14, 2023, CISA hosted an “SBOM-a-rama” to discuss the current state of Software Bill of Materials (“SBOM”) and next steps.  Sessions covered sector specific SBOM work as well as generally applicable concerns about SBOMs, like the sharing and exchanging of SBOMs and how to implement an SBOM.

One of the speakers at the SBOM-a-rama was Shon Lyublanovitz, the leader of CISA’s cyber supply chain risk management (C-SCRM) program office, which is responsible for reviewing and responding to the comments on CISA’s proposed common self-attestation form.  In response to a question regarding why there was no mention of SBOMs in the common form, Ms. Lyublanovitz stated that OMB wants to take a “crawl, walk, run” approach and therefore decided not to include a requirement for SBOMs in the proposed common form.  She noted, however, that agencies can ask for SBOMs if they want to.  She also noted that provenance is mentioned in the SSDF in the context of third-party software code, and invited comments on how stakeholders planned to address this requirement.

Following the SBOM-a-rama, CISA officials distributed to the participants a draft of “SBOM FAQs” that consisted of approximately 30 pre-existing or revised questions and answers as well as nine new questions and answers. These officials invited comments on the new and modified FAQs. When finalized, CISA intends to post the FAQs on its website as a resource for the SBOM community.

CISA Receives Comments on the Secure Software Development Attestation Common Form

As discussed above, on April 27, 2023, CISA released a 60-day Request for Comment on its draft secure software development attestation common form, which was developed in close consultation with OMB.  The Request for Comment stated that CISA would accept comments through June 26, 2023.  While the comment period deadline has passed, organizations and others have continued to submit comments.  As of June 28, 2023, CISA had received 110 comments on the draft common form, including from major trade industry groups and coalitions.  The comments have raised various points and concerns regarding the draft common form, including (but not limited to):

  • Mapping Inconsistencies – Some comments stated that the common form’s requirements are inconsistent with NIST SP 800-218. 
  • Verification Evidence and Artifacts – Some comments stated that the common form did not provide guidance regarding artifacts that agencies may require as part of the attestation process. 
  • Scope of “Software” – Some comments have raised concerns and questions about the scope of the definition of “software” under OMB Memorandum M-22-18, including whether the requirements are intended to apply to commercially available off-the-shelf products, Internet of Things (“IoT”) devices, and hardware products that may contain software and connect to government information systems.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the proposed Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national…

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and federal supply chain security. Ryan also advises on government cost accounting, FAR and DFARS compliance, public policy matters, and agency disputes. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.

Photo of Matthew Harden Matthew Harden

Matthew Harden is a litigation associate in the firm’s New York office and advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries.