White House to tech world: Promise you'll write secure code – or Feds won't use it
Developers, why not simply build flawless software, thus solving all our vulnerability worries
The White House has published software security rules for federal agencies as part of a larger push to shore up America's IT supply chains.
Today's requirements [PDF] stem from US President Joe Biden's cybersecurity executive order from May 2021, which was in response to the SolarWinds disaster and other high-profile software supply chain meddling.
Specifically, federal government agencies are now required to obtain a self-attestation from any third-party software providers they use. This is essentially a guarantee from the vendor that their product meets minimum NIST standards for secure software development.
If and when they renew their licenses with third-party software providers, or when the developer makes any major changes to the code, the agencies must obtain a new self-attestation. The requirements, drawn up by the Office of Management and Budget, apply to software developed from now on including any major releases in future. They do not apply to code developed in-house at an agency – though adhering to the rules anyway is encouraged.
The rules also note that, if the software vendor "cannot attest to one or more practices from the NIST Guidance identified in the standard self-attestation form," then the tech company needs to identify potential risks, document how they will mitigate these risks, and develop a "Plan of Action & Milestones," also in accordance with NIST.
It's hoped these requirements will result in safe, secure software, or at least keep government staff informed of the risks and mitigations when deploying applications. The exact timeline of required action is in appendix A of the above PDF; for example, agencies have up to 270 days to collect self-attestation notices for critical software.
Uncle Sam wants federal agencies and software providers to keep those attestations hush-hush so that America doesn't give foreign spies and other miscreants a heads-up on how to break into US networks. "The agency shall take appropriate steps to ensure that such documentation is not posted publicly, either by the vendor or by the agency itself," the rules instruct.
Instead of a software provider's self-attestation — or, if an agency wants to use open source software or products that include open source code — then the White House says a third-party assessment by a certified Federal Risk and Authorization Management Program (FedRAMP) assessor organization will do.
A third-party assessment provided by either a certified FedRAMP Third Party Assessor Organization (3PAO) or one approved by the agency shall be acceptable in lieu of a software producer's self-attestation, including in the case of open source software or products incorporating the free code, provided the 3PAO uses the NIST Guidance as the assessment baseline.
And finally, the memorandum encourages agencies to obtain "artifacts," such as a software bill of materials (SBOM), for example, "that demonstrate conformance to secure software development practices, as needed," from developers.
Agencies can also demand evidence that a software maker "participates in a vulnerability disclosure program" if required by the Feds, thus ensuring that any discovered flaws can be flagged up and fixed.
- The truth about that draft law banning Uncle Sam buying insecure software
- Homeland Security warns: Expect Log4j risks for 'a decade or longer'
- Supply chain attacks will get worse: Microsoft Security Response Center boss
- Google assuring open-source code to secure software supply chains
"Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised," said Chris DeRusha, federal chief information security officer, in a statement.
"With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries."
Today's requirements, DeRusha added, "will ensure that millions of lines of code that underpin federal agencies' work are built with industry security standards in place."
While these security rules only apply to the federal government and its contractors, they will likely have an impact on private corporations as well, since they use many of the same security products and services from vendors that supply the Feds.
As one senior administration official said, during a press briefing on Biden's executive order, "we're all using the same software. We're all using Outlook email. We're all using Cisco and Juniper routers. So, essentially, by setting those secure software standards, we're benefiting everybody broadly."
This, in turn, will require technology providers to prioritize secure software development, said Chainguard CEO Dan Lorenc, a former Googler and co-creator of the Sigstore standard for open source software and supply-chain security.
"The role of government in this setting is to exert their influence as a software purchaser to require vendors to conform to industry best practices and standards for securing the software supply chain," Lorenc told The Register. "By issuing this guidance OMB is drawing a line in the sand and making this issue a top priority."
Now that the government has made buying secure software a top priority, "vendors need to prioritize delivering it," he added. "Simply put, we need to build and make available better developer tools that seamlessly integrate into the development lifecycles today." ®