Why it matters: The US Administration wants to strengthen the software supply chain by requiring vendors and federal agencies to certify that the software they sell (and use) is secure. It turns out the certification process can be much more complex and troublesome than initially foreseen.
Published by the National Institute of Standards and Technology (NIST), the so-called Secure Software Development Framework (SSDF) is a “special publication” (800-218) containing recommendations for mitigating the risk of software security flaws. Created in the wake of the infamous SolarWinds attacks, the documentation should theoretically help US federal agencies, software developers and vendors to deploy a more secure and trustworthy supply chain in the United States.
The US government had initially set a hard deadline (September 14, 2022) for the aforementioned federal agencies to comply with the SSDF requirements and additional NIST guidance. US officials had to certify that they were employing software provided by vendors who could attest to complying with “Government-specified minimum secure software development practices.”
The previously-set deadline is no more, as the Office of Management and Budget (OMB) is working on a “common form” for software certification with the US Cybersecurity and Infrastructure Security Agency (CISA). Once completed, the new form will require all federal vendors and software providers to sign it. Federal agencies will be given three months to collect those certifications for “critical” providers, and six months for other, low-priority vendors.
The new memorandum reaffirms the “importance of secure software development practices,” the OMB office says, while CISA is still collecting feedback on the new “Secure Software Self-Attestation Form” until June 26, 2023. The latest SSDF version (1.1) dates back to February 2022, and it provides a detailed list of development and review practices to ensure software products used by the US government are at least a bit harder to hack and compromise than before.
Furthermore, the OMB has clarified that the NIST requirements do not apply to open source and “freely, directly obtained” software used by federal agencies and personnel. This software category is outside the scope of the SSDF, as “customers” have no clear opportunity to negotiate with a well-defined manufacturer of incorporated entity.
Therefore, attestations about security practices will not be required for web browser and other free, yet significant “core software applications” currently in use by the government. US agencies, however, will still be required to “assess the risk” in employing such software on federal computers and take “appropriate steps” to minimize or eliminate known security risks.