On September 14, 2022 the US Office of Management and Budget published a memo instructing federal agencies to implement software supply chain security practices defined by NIST. These practices are both practical and achievable using the tools that are available today from the SBOM implementers within CycloneDX and SPDX SBOM communities. Software consumers should request an “attestation” of conformance to the NIST Guidance, identified in the OMB memo. Here are some of the key provisions from the OMB memo that Energy industry entities may want to consider to help secure their own software supply chains:
- Ensuring software integrity is key to protecting Federal systems from threats and vulnerabilities and reducing overall risk from cyber-attacks. The NIST Guidance provides “recommendations to federal agencies on ensuring that the producers of software they procure have been following a risk-based approach for secure software development.”12 Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.
- A software producer’s self-attestation serves as a “conformance statement” described by the NIST Guidance. The agency must obtain a self-attestation for all third-party software subject to the requirements of this memorandum used by the agency, including software renewals and major version changes
- If the software producer cannot attest to one or more practices from the NIST Guidance identified in the standard self-attestation form, the requesting agency shall require the software producer to identify those practices to which they cannot attest, document practices they have in place to mitigate those risks, and require a Plan of Action & Milestones (POA&M) to be developed.
- Agencies may obtain from software producers artifacts that demonstrate conformance to secure software development practices, as needed.
- A Software Bill of Materials (SBOMs) may be required by the agency in solicitation requirements
- SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report “The Minimum Elements for a Software Bill of Materials (SBOM),”
- Artifacts other than the SBOM (e.g., from the use of automated tools and processes which validate the integrity of the source code and check for known or potential vulnerabilities) may be required if the agency determines them necessary.
- Evidence that the software producer participates in a Vulnerability Disclosure Program may be required by the agency.
- Compliance with the EO and NIST Guidance requires that agencies engage in appropriate planning. In order to ensure compliance and reduce risk, agencies must integrate the NIST Guidance into their software evaluation process as outlined in this memorandum
CISA has been assigned the responsibility to create a “common form” for the self-assessment “conformance statement” by January 2023. Software vendors and their consumers need to communicate the location of the required NIST Guidance artifacts listed in the memo, preferably, using a machine readable, automated method to make acquisition of these artifacts easily accessible. An open-source, free to use Vendor Response File (VRF) format can be used to communicate the location of these required artifacts. The open-source VRF has been designed to satisfy the North American Transmission Forum Security Assessment Model and NIST SP 800-161 C-SCRM Standards. A JSON representation of the open-source Vendor Response File is also available online.
Federal agencies are required to implement the NIST Guidance over the next 24 months with the requirement to communicate artifact information requirements to software vendors starting in January, 2023. The open-source VRF may provide agencies with an effective, easy to use method to achieve this goal, as it is readily available and free to use as an XML Schema format. The location of SDLC practice statements, SDLC conformance attestations, a product SBOM and Vulnerability Disclosure Report artifacts are already supported in the open-source, free to use VRF XML schema. Software vendors place a VRF on their customer portal where federal agencies and other customers can download the information.