White House Issues New Memo to Secure Supply Chain

White House Issues New Memo to Secure Supply Chain

OMB’s new supply chain memo calls on agencies to utilize software that has been built following common cybersecurity practices.

The Office of Management and Budget (OMB) issued a memo on Enhancing the Security of the Software Supply Chain through Secure Software Development Practices Wednesday. The directive calls for agencies to use software built with common cybersecurity practices. 

“With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries,” Federal CISO and Deputy National Cyber Director Chris DeRusha said in a briefing

The memo was issued under President Biden’s May 2021 cybersecurity executive order that aims to identify, deter, protect against, detect and respond to cybersecurity threats. 

The rule will require federal agencies to use a standardized self-attestation form consistent with the National Institute of Standards and Technology (NIST) Software Supply Chain Security Guidance before using a vendor’s software. Agencies must use the form for all third-party software, including software renewals and major version changes.  

“By strengthening our software supply chain through secure software development practices, we are building on the Biden-Harris Administration’s efforts to modernize agency cybersecurity practices, including our federal zero trust strategy, improving our detection and response to threats, and our ability to quickly investigate and recover from cyberattacks,” DeRusha added. 

The memo also set new deadlines for federal agencies.   

  • Within 90 days, agencies must inventory all software and create a separate inventory for “critical software.” 
  • Within 120 days, agencies must develop a consistent process for communicating relevant requirements and collect letters of attestation from software providers. 
  • Within 180 days, agency CIOs must assess organizational training needs and develop training plans for the review and validation of attestation.   

OMB has called on the Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) to help develop requirements for a central repository for software attestations and artifacts. 

“Within 1 year from OMB’s establishment of requirements, CISA, in consultation with GSA and OMB, will establish a program plan for a government-wide repository for software attestations and artifacts with appropriate mechanisms for information protection and sharing among federal agencies,” the memo said.  

DeRusha noted that guidance will enable OMB to build trust and transparency across the digital infrastructure and will allow the agency to fulfill its commitment to protect national and economic security.  

“[The memo] is part of a larger enterprise cybersecurity and information technology (IT) modernization plan that ensures we can deliver a simple, seamless and secure customer experience,” DeRusha said.