ARTICLE
4 October 2022

Federal Software Providers Need To Be Ready To Attest To NIST Compliance Within The Coming Year

WB
Womble Bond Dickinson

Contributor

Womble Bond Dickinson logo

Being different is our normal way of working. It's not just what we do, it's how we do it.

You'll benefit from more than just the skills and know-how you'd expect from a pioneering law firm; our technology specialists, process and project management leaders, accountants and tax advisers work alongside lawyers with specialist sector expertise – from business to government.

Working side by side, we'll find clever solutions to your age-old problems.

With 1,300 professionals across 39 offices in the US and UK, we're equipped to tackle mission-critical challenges, wherever you do business.

Want the proof? It's in our track record. With our straight-talking, entrepreneurial approach, we’ve set new industry precedents, achieved market firsts and delivered trailblazing work for our clients.

So, whatever your future holds, we're here for you with A Point of View Like No Other.

Explore Firm Details
Companies providing software to the federal government need to be prepared to attest that their software is NIST -compliant within the coming year.
United States Technology
Christopher L. Lockwood
Your Author LinkedIn Connections
Womble Bond Dickinson are most popular:
  • within Employment and HR topic(s)
  • with Senior Company Executives and HR

Companies providing software to the federal government need to be prepared to attest that their software is NIST (National Institute of Standards and Technology)-compliant within the coming year. On September 14, 2022, the Director of the White House Office of Management and Budget issued a Memorandum for the Heads of Executive Departments and Agencies. Pursuant to President Biden's Executive Order 14028, Improving the Nation's Cybersecurity (May 21, 2021), the OMB Memo specifies that "Federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance."

The Memo directs federal agencies to obtain self-attestation of NIST-compliance from software producers before using their software. A standardized attestation form will be made available. Producers may comply by posting their self-attestation publicly on their website or by including it in their proposals. If a software producer cannot attest to one or more NIST practices, then agencies are required to obtain a Plan of Action & Milestones (POA&M), documenting the practices to which the producer cannot attest and those in place to mitigate any risks. If the POA&M is satisfactory, the agency may use the software without a complete self-attestation. For critical software, agencies also have flexibility to demand artifacts, such as a Software Bill of Materials (SBOM), to demonstrate conformance with secure software development practices.

Within the next 90 days, agencies are directed to inventory their software, with a separate inventory for critical software. Within 120 days, agencies are to begin collecting attestation letters from providers. Attestation letters from critical software providers are to be collected within 270 days, with the remainder collected within 365 days.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Christopher L. Lockwood
Christopher L. Lockwood
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More