The Office of Management and Budget released guidance for federal agencies AND CONTRACTORS, telling them what they need to do in order to comply with the executive order on cybersecurity. Of course, since this is the government, it took OMB more than a year to release this.
This does have a big side benefit and one that everyone should not ignore.
The government uses, for example, Cisco network hardware and Microsoft software. These companies will be forced to comply with the OMB rules. They are NOT going to have two versions of their software – one for federal agencies and contractors and one for everyone else. This is definitely a case where the tide rises all ships.
Even if you are not working for a federal agency or federal contractor, THIS WILL AFFECT YOU. Those contractors buy stuff from folks like you. Do you think they are going to say that just because you are not part of the contract, you won’t have to comply? If you do think that, I want to know what you are smoking.
Here is what I predict will happen. Poop flows down hill. This will go a long way down the supply chain.
But more importantly, Fortune 2000 companies are going to say “if these standards are good enough for government, they are good enough for us”. They will write these standards into COMMERCIAL, NON-GOVERNMENTAL contracts and tell their supply chain to comply. Or, they will find suppliers that will.
Here is, briefly, what is in the OMB directive. Read the directive itself (see below) to fill in the details.
- Consistent with the NIST Guidance and by the timelines identified below, agencies
are required to obtain a self-attestation from the software producer before using the
software.
This means that companies who sell software to the government will have to attest that they are complying with the EO. Liars risk getting hit with False Claims Act Qui Tam Whistleblower lawsuits.
- Agencies may obtain from software producers artifacts that demonstrate
conformance to secure software development practices, as needed.
That means you better have some of them there artie-facts.
Here is what the agencies need to do:
- Inventory all software (90 days)
- Communicate requirements to software providers and ensure that if the software provider does not publicly post the required data, the agency captures a secure copy of it (120 days)
- Collect attestation letters from the recalcitrant critical vendor companies (270 days)
- Collect attestation letters from the rest of the companies (365 days)
- Develop plans to train agency employees on digesting these attestations (180 days)
- Agencies can ask the OMB for homework extensions
- Agencies can request waivers, in writing, which will be reviewed by the OMB and the President’s national security advisor. Don’t expect a lot of these to be approved.
OMB has some process homework also, to be completed within 90 and 180 days.
CISA has 120 days to come up with an approved standard attestation form. This should help key the vendor lawyers from using wiggle-worm language.
CISA has a year to create a government wide archive for attestations and artifacts and have it initially operational within 18 months from today. Within 24 months, it must be fully operational.
NIST will update its SSDF guidance as needed.
If you need help getting ready for this, either because you are a federal vendor or you think complying with these rules are a competitive advantage, please contact us.
Credits;