The Office of Management and Budget is soliciting feedback through a set of questions to inform the implementation of the National Institute of Standards and Technology’s guidance detailing best practices to improve the security of the software supply chain in accordance with a cybersecurity executive order signed in May 2021.
On Feb. 4, NIST released the Secure Software Development Framework and Software Supply Chain Security Guidance to ensure the security of software being purchased by federal agencies, OMB said Monday.
The executive order directs OMB to require agencies to implement the SSDF and related guidance. However, OMB will seek comments from the private sector on how to implement the guidance before directing agencies to require vendors to attest to compliance with secure software development practices.
OMB is asking stakeholders to describe the ideal process for agencies to secure and retain attestation documents for software being purchased and provide examples of systems, procedures and tools for assessing compliance that should be considered for applicability to the SSDF, among others.
Responses to the questions are due March 18.
NIST will hold a virtual workshop on March 23 to help OMB gain insights from stakeholders to inform the development of implementation guidance for the procurement of secure software by federal agencies.