The White House issued a memorandum that requires each federal agency to comply with the NIST Guidance when using third-party software on the agency‚Äôs information systems and to inventory all software subject to its requirements within 90 days.¬†
As part of the new guidance that follows the executive order ‚Äú Improving the Nation‚Äôs Cybersecurity ‚ÄĚ issued in May last year, federal agencies must only use software provided by software producers who can attest to complying with the Government-specified secure software development practices. Otherwise, a third-party assessment can be provided by a certified FedRAMP Third Party Assessor Organization (3PAO) or one approved by the agency.¬†
Also, a Software Bill of Materials may be required by the agency in solicitation requirements, based on how critical the software is The SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report ‚ÄúThe Minimum Elements for a Software Bill of Materials (SBOM).‚ÄĚ
Agency CIOs will need to assess training needs and develop training plans for the review and validation of software attestations and artifacts within 180 days.