US government extends software security deadline because vendors aren't ready

The Biden Administration has extended the deadline for federal agencies to submit documentation proving that the software they use was developed with appropriate security practices, because the form for reporting on such matters isn't complete.

Since coming into office in 2021, the Administration has focused on cybersecurity for the both the government and private sectors, with an emphasis on hardening the software supply chain in the wake of such incidents as the SolarWinds attack.

One of the Administration's tactics was requiring software vendors to attest to their use of federal software development standards defined by the National Institute of Standards and Technology's (NIST's) Secure Software Development Framework [PDF].

The deadline for government agencies to collect attestation certificates from their vendors was September 14. But that dog ain't going to hunt just yet.

However, a five-page memorandum [PDF] issued this month by the Office of Management and Budget (OMB) pushed the deadline into the future. The US Cybersecurity and Infrastructure Security Agency (CISA) is developing a common attestation form that all vendors will be required to use. Once the OMB approves it, agencies will have three months to collect certificates from critical providers and six months for the remainder of their software vendors.

"This memorandum … reaffirms the importance of secure software development practices," OMB Director Shalanda Young wrote.

Herding cats

The deadline extension highlights the multiple moving parts involved with the process around attestation. The National Institute of Standards and Technology (NIST) last year updated the Secure Software Development Framework (SSDF) and issued guidance around software supply chain security.

CISA in April published a draft Secure Software Self-Attestation Form and sent out a request for comment, with the deadline for feedback coming June 26. With that date in sight, OMB pushed out the deadline for collection of vendors' own forms. It's a smart business move to use a single common form for all vendors and to wait until that common form is approved before collecting them.

• US govt now bans TikTok from contractors' work gear
• UK telco watchdog Ofcom, Minnesota Dept of Ed named as latest MOVEit victims
• Microsoft injects ChatGPT into 'secure' US government Azure cloud
• New York City latest to sue Hyundai and Kia claiming their cars are too easy to steal

Vendors who sign the attestation forms acknowledge that their products adhere to the development standards in the NIST SSDF, which was 1released in February 2022. The goal is to protect government agencies from the growing threat of supply chain attacks, such as when malicious code was added to SolarWinds software, or the ongoing exploitation of a flaw in the Log4j open-source logging tool.

Attestations forms are crucial "because the producer of that end product is best positioned to ensure its security," Young wrote. "An attestation provided by that producer to an agency serves as an affirmative statement that the producer follows the secure software development minimum requirements, as articulated in the common form."

A breather for software makers, too

The extended deadline for the forms means relief for both government agencies and software makers who may still be getting up to speed on the requirements, according to Dan Lorenc, CEO and co-founder at Chainguard, a startup focusing on security software supply chains.

"Software supply chain is now officially a boardroom and C-Suite problem," Lorenc told The Register. "But the initial pain will be felt by software developers and engineering and platform teams scrambling to understand what software is where, how it's secured and how it's used across their organizations."

Executives at companies that sell software to the federal government therefore need to ensure their developers are building secure software while balancing productivity and innovation, he said.

Supply chain attacks appear to be rising due to several factors, among them increased use of open-source software and reusable components, contributions from multiple sources, and accelerated code release cadences.

The government and private sectors are pushing back against supply chain attacks in part by forcing software vendors, through attestation and 1(software bills-of-material), to better secure their products.

Scrutiny needed for open source

Lorenc said that regulations also should address open-source software, as some widely-used projects continue to be maintained by volunteers or part-timers who have day jobs that mean they can't always detect or address security issues in a timely manner.

"Organizations who use open-source software need to also take accountability for securing what's in their supply chains," he said.

The government also needs to work closely with the software industry on developing higher level SBOM data. SBOMs are like the labels on food products, a list of the components that make up a software product so that users know what's inside. The better the data, the more secure the software can be.

In addition, "SBOMs will have broader commercial implications, and industry has access to more data today." ®