On February 4, 2022, the National Institute for Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling of Consumer Software (“Software Labeling Criteria”). NIST also published guidance to federal agencies regarding practices for enhancing software supply chain security when they acquire software (“Supply Chain Security Guidance”). Both the Software Labeling Criteria and the Supply Chain Security Guidance were issued by NIST pursuant to Section 4 of Executive Order 14028, “Improving the Nation’s Cybersecurity” (the “Cyber EO”), which was issued by President Biden on May 12, 2021. The Cyber EO and its implementation are the subject of several previous Covington blogs that are available here.
These documents have relevancy to U.S. government contractors and technology companies alike. The Software Labeling Criteria may serve as a model for labeling requirements on software products purchased by consumers, and therefore should be reviewed closely by all software developers and resellers. The Supply Chain Security Guidance will likely have more immediate impacts, as the Cyber EO requires (1) that the Office of Management and Budget (“OMB”) take “appropriate steps” to require that agencies comply with the Guidance with respect to software purchased after the date of the EO, and (2) that the FAR to be amended to require all agencies to procure software (defined to include firmware, operating systems, applications, and cloud-based services) in accordance with the Guidance.
Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Software and Guidance to Federal Agencies on Practices to Enhance Supply Chain Security When Procuring Software