OMB Memorandum M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices requires federal agencies to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information. Agencies had a deadline of 13 December 2022 to inventory all software subject to the memorandum and separately inventory ‘critical software’ items.
As you’re incorporating the improvement of secure software supply chain practices into your agencies’ 2023 resolutions, below are some key dates you need to be aware of:
- By 1/12/23: CISA will develop and establish a self-attestation common form which will include “the minimum elements of NIST 900-218 as identified by OMB”
- By 3/13/23: Agencies must “assess organization training needs and develop training plans for review and validation of full attestation of documents and artifacts”
- By 6/11/23: Agencies must “collect attestation letters not posted publicly by software providers for ‘critical software’ subject to the requirements of the memorandum”
- By 9/13/23: Agencies must “collect attestation letters not posted publicly by software providers for all software subject to the requirements of the memorandum”
At NetImpact, we don’t wait on a new year for a new you and a new way to get something done. Contact us at firstname.lastname@example.org to learn more about our DX360°® Cyber Software Chain Risk Management solution and how it can help you meet these deadlines.