New Requirement for Software Deliverables to Comply with NIST 800-218

By Skyler Handl, Corporate Counsel, Public Sector

On September 14, 2022, OMB took a substantial step forward in implementing EO 14028 Improving the Nation’s Cybersecurity by issuing memorandum M-22-18. This memorandum requires agency leaders to comply with NIST Secure Software Development Framework (SSDF), SP 800- 218,3 and the NIST Software Supply Chain Security Guidance with regards to third-party software in agency information systems. This applies to software developed or modified by major changes after September 14, 2022, regardless of whether the software is a commercial product or COTS item.

How does this impact your business?

Agencies are required to obtain a self-attestation or conformance statement from the software producer before the agency can begin using any software subject to the memorandum, including software renewals. A third-party assessment provided by either a certified FedRAMP Third Party Assessor Organization (3PAO) or one approved by the requesting agency shall be acceptable in lieu of a software producer’s self-attestation. The language of the memorandum indicates compliance to these standards will be a factor in assessing software solutions during the customers market research and supplier qualification reviews of the acquisition process, versus an implementation of contractual requirement after award. Failure to provide this information when requested may lead to your business being disqualified by the respective agency and existing software products being displaced or not renewed by the government end user.

How do you prepare for this change?

While we do not have many details available yet on how each agency will execute a process for obtaining these attestations, it is important for you to review and evaluate your products and system maturity against the two relevant NIST resources: NIST Secure Software Development Framework (SSDF), SP 800- 218 and the NIST Software Supply Chain Security Guidance. Also, while a standard form for a self-attestation or conformance statement is not yet available, the Federal Acquisition Regulatory (FAR) Council is taking action to prepare a standard self-attestation form. Additionally, engaging a FedRAMP certified 3PAO will provide you with needed documentation and an understanding of your products and system maturity to provide an accurate self-attestation. The memorandum directs agencies to develop a vendor communication process by January 12, 2023, so you can expect more communications coming soon.

What if I am currently reporting my status to the SPRS? Will I need to also complete an assessment?

If you are compliant to DFARS 252.204-7020 NIST SP 800-171DoD Assessment Requirements and currently reporting into the Department of Defense Supplier Performance Risk System (SPRS) you will have a leg up in your compliance journey. However, DFARS 252.204-7020 requirements are related to NIST SP 800-171, and the new requirement under the subject memorandum is regarding NIST SP 800-218. NIST SP 800-171 focuses on the protection of Controlled Unclassified Information (CUI) in contractor systems, while NIST SP800-218 provides recommendations for mitigating the risk of software vulnerabilities in deliverables to the government end user. Additionally, SPRS is a DoD solution which will likely not be leveraged by non-DoD agencies.

When will this change impact your business?

Agencies are required to collection attestation letters for critical software by June 11, 2023, and all other software by September 14, 2023.

---

Keep on top of IT trends in public sector. Subscribe to immixGroup’s Government Insider Sales blog now.

Registration is open to the 7th Government IT Sales Summit on November 17 in Reston, Virginia. immixGroup’s channel partner resellers qualify for a complimentary pass. Click here if you qualify.