White House Presses Agencies to Adopt New NIST Framework

Most supply chain members have stayed compliant with NIST since they first adopted it. This is a requirement for remaining part of the supply chain. However, when new policies and guidelines are implemented, many businesses are slow to adopt them. As a result, the Office of Management and Budget pressed federal agencies to adopt the new best practices as was directed under last year’s White House cybersecurity executive order.

The Executive Order and Resulting Expectations

The White House announced an executive order in May of 2021. It stated that agencies in the supply chain must immediately adopt software supply chain security guidance. While the government was lenient in giving agencies time to adopt the new policies, they are no longer giving them extra time to comply. Agencies are now expected to adopt these new practices to be compliant immediately.

Notable New Practices

Under the new NIST framework, government buyers must start putting the Secure Software Development Framework from the National Institute of Standards and Technology. Under this new framework, buyers must acquire attestations that their software products conform to certain development practices. This is to ensure the security of software in the supply chain.

Additionally, the Office of Management and Budget is collecting comments on implementing the NIST framework before they undertake the activities described in it. As a result, agencies are not required to implement these framework aspects before these comments are collected and analyzed. 

Helping Agencies Acquire Attestations

OMB understands that getting attestations is a complicated aspect of the new NIST framework. As a result, they are seeking comments on six implementation questions so that they can better help agencies become compliant. The questions are as follows:

1. How would you describe the ideal process for Federal agencies to obtain and retain secure software development attestation documents3 for software being procured?

2. Are there examples of successful systems, tools, and procedures for assessing compliance that should be examined for applicability to the SSDF? What characteristics of other established processes are most important to emulate? Do you recommend any particular standard format(s) for attesting to compliance?

3. Are there elements of the framework for which there are alternate and potentially more effective ways (e.g., conformity assessments4) of demonstrating adoption than attestation?

4. What risk-based factors should be considered to determine when third-party attestation is most appropriate for affirming adequate SSDF practices are in place?

5. How should vendors articulate the products and the boundaries of the products covered within the attestation?

6. What information do vendors need in advance in order to comply with implementation guidance?

How GSec LLC Can Help

Do not hesitate to contact us if you need help implementing any of these new practices or acquiring attestations. We are more than happy to help!

By: Alex O’Reilly

Sources: https://fcw.com/security/2022/03/white-house-reminds-agencies-adopt-nists-software-supply-chain-security-framework/362906/

https://cyber-reports.com/2022/03/10/white-house-reminds-agencies-to-adopt-nists-software-supply-chain-security-framework/

https://www.nist.gov/system/files/documents/2022/03/07/EO%204k%20implementation%20questions.pdf