There has been confusion regarding
the postponement of the date the software security attestations by suppliers
are due under Executive Order 14028, as interpreted by OMB. The attestations
were originally required for this month in last fall's OMB memo M-22-18. Most
software developers that sell to the federal government will need to fill out
these attestations. The recent OMB memo M-23-16 provides a new timeline for the
attestations being due. Unfortunately, the new memo isn’t exactly a model of
clarity, to say the least. The relevant paragraph is:
This memorandum modifies the
deadlines by which agencies must collect attestation letters. Agencies must
collect attestations for critical software subject to the requirements of
M-22-18 and this memorandum no later than three months after the M-22-18
attestation common form released by the Cybersecurity and Infrastructure
Security Agency (CISA) (hereinafter “common form”) is approved by OMB under the
Paperwork Reduction Act (PRA). Six months after the common form’s PRA approval
by OMB, agencies must collect attestations for all software subject to the requirements
delineated in M-22-18, as amended by this memorandum.
From this, I’ve derived the
following rough timeline:
- CISA
releases their approved version of the attestation form. The comment
period for the original form won’t close for a week or two. Then it will probably take at least 3 months
before the CISA technical staff approves a revised version. Given that
this form is likely to be very controversial, with a lot of pressure put
on CISA from software suppliers and device manufacturers, this might well
be an underestimate.
- CISA
lawyers approve the form. I strongly doubt CISA will be able to
release the form without the lawyers’ approval (heck, I wouldn’t be surprised
if the CISA lawyers have to approve every change to the lunchroom menu). From
what I’ve seen so far about getting those lawyers’ approval for SBOM and
VEX documents, it will take them about 2 months to approve the form. Thus,
I'm guessing CISA will take 5 months at a minimum to develop and approve the
new attestation form.
- OMB
reviews the form and approves it under the Paperwork Reduction Act. I initially listed this as a minimum of 2 months, but someone in the government with experience in this area said the OMB PRA reviews usually take at least 4 months. So we’re now at 9 months minimum.
- Agencies
collect attestations from suppliers of “critical software”. This
occurs 3 months[i] after OMB approval,
so now we're at 12 months minimum.
- Agencies
collect attestations for all software which is “subject to the
requirements delineated in M-22-18…” This is 6 months after OMB’s
PRA approval date (and 3 months after the deadline for critical software),
meaning that the deadline for attestations for other software will be 15 months from now, at a minimum.
This is quite a long time. What could be done to shorten it? I can't comment on all of the other numbers besides the number for CISA's development of the new attestation form. Unfortunately for CISA, being told to develop
an attestation form for the NIST Secure
Software Development Framework (SSDF) is
something like being told to develop a perpetual motion machine, and a procedure
for squaring the
circle for good measure. The SSDF – like everything else that NIST puts out
- was developed as a risk management framework and certainly not a compliance
framework.
Thus, the SSDF includes no
information on what would constitute "compliance" with any of its
provisions, or what criteria might determine whether a provision applies to a
supplier at all (since, when a risk management framework like SSDF is
developed, the developers of the framework assume the organizations that follow
it won’t be compelled to address provisions they believe don’t apply to them.
That’s how risk management works). This and other questions will all need to be
answered by CISA before the form is ready.
I'm sure CISA will be pressured to
put in measurable compliance parameters, since only by doing so will federal
agencies be enabled to determine whether or not a supplier has provided a valid
attestation. However, each of these parameters is certain to be quite controversial.
For example, consider the provision “Separating and protecting each environment
involved in developing and building software” in the current form. If that were
to survive in the new form, CISA would need to:
1.
Define “environment”.
Presumably, it doesn’t refer to whether the devices that build the software are
located in the desert vs. a big city (although that could certainly be part of
the calculation). More importantly, what constitutes the border of this environment?
Unless that’s clearly defined, the software developer might have to provide
these protections to every device that’s on any of its networks, even if they’re
properly segmented from each other.
2.
Define what measures
constitute “Separating…each environment”. Does that mean just separating it
from other networks? Does it mean the development network needs to be
air-gapped from the rest of the world? And if that’s too drastic, what is at
least an “adequate” level of separation?
3.
Define what measures constitute
“protecting each environment”. Obviously, a single network firewall provides a
good deal of protection, which is why just about every network on the planet
has one today. Is that adequate protection? And if it is adequate, how does it
have to be configured? If every rule reads “any/any”, is that enough? Certainly
not! And if the single firewall isn’t enough protection, what is?
Those are just the first three
questions that come to mind. I’m sure that, as they get answered, that will
raise other questions, e.g. whether the internet routers are protected against
DNS attacks. Some of these might be irrelevant, but the CISA staff won’t want
to take any chances with this form, since if they leave out an important risk,
they’ll be criticized for not being "tough enough" on suppliers (of
course, some suppliers will always say they’re being too tough, no matter what CISA
proposes. There simply isn't any happy medium).
Of course, I’m not recommending that any supplier wait a year before they create their attestation(s). They should all start on it as soon as the form is released by CISA (i.e. in five months, according to my estimate above). OMB isn’t going to make any substantive changes to the form, even if they have objections – they’ll send it back to CISA for remediation.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] Of
course, the text says “no later than” three months,
but I highly doubt the agencies are all going to start demanding attestations
from their suppliers before that deadline, since the suppliers are likely to
just laugh and point out that they have three months, and say they need every
minute of it – which will probably be true.
No comments:
Post a Comment