What are the new due dates for software supplier attestations?

There has been confusion regarding the postponement of the date the software security attestations by suppliers are due under Executive Order 14028, as interpreted by OMB. The attestations were originally required for this month in last fall's OMB memo M-22-18. Most software developers that sell to the federal government will need to fill out these attestations. The recent OMB memo M-23-16 provides a new timeline for the attestations being due. Unfortunately, the new memo isn’t exactly a model of clarity, to say the least. The relevant paragraph is:

This memorandum modifies the deadlines by which agencies must collect attestation letters. Agencies must collect attestations for critical software subject to the requirements of M-22-18 and this memorandum no later than three months after the M-22-18 attestation common form released by the Cybersecurity and Infrastructure Security Agency (CISA) (hereinafter “common form”) is approved by OMB under the Paperwork Reduction Act (PRA). Six months after the common form’s PRA approval by OMB, agencies must collect attestations for all software subject to the requirements delineated in M-22-18, as amended by this memorandum. 

From this, I’ve derived the following rough timeline: 

1. CISA releases their approved version of the attestation form. The comment period for the original form won’t close for a week or two. Then it will probably  take at least 3 months before the CISA technical staff approves a revised version. Given that this form is likely to be very controversial, with a lot of pressure put on CISA from software suppliers and device manufacturers, this might well be an underestimate.
2. CISA lawyers approve the form. I strongly doubt CISA will be able to release the form without the lawyers’ approval (heck, I wouldn’t be surprised if the CISA lawyers have to approve every change to the lunchroom menu). From what I’ve seen so far about getting those lawyers’ approval for SBOM and VEX documents, it will take them about 2 months to approve the form. Thus, I'm guessing CISA will take 5 months at a minimum to develop and approve the new attestation form.
3. OMB reviews the form and approves it under the Paperwork Reduction Act. I initially listed this as a minimum of 2 months, but someone in the government with experience in this area said the OMB PRA reviews usually take at least 4 months. So we’re now at 9 months minimum.
4. Agencies collect attestations from suppliers of “critical software”. This occurs 3 months[i] after OMB approval, so now we're at 12 months minimum.
5. Agencies collect attestations for all software which is “subject to the requirements delineated in M-22-18…”  This is 6 months after OMB’s PRA approval date (and 3 months after the deadline for critical software), meaning that the deadline for attestations for other software will be 15 months from now, at a minimum.

This is quite a long time. What could be done to shorten it? I can't comment on all of the other numbers besides the number for CISA's development of the new attestation form. Unfortunately for CISA, being told to develop an attestation form for the NIST Secure Software Development Framework (SSDF) is something like being told to develop a perpetual motion machine, and a procedure for squaring the circle for good measure. The SSDF – like everything else that NIST puts out - was developed as a risk management framework and certainly not a compliance framework.

Thus, the SSDF includes no information on what would constitute "compliance" with any of its provisions, or what criteria might determine whether a provision applies to a supplier at all (since, when a risk management framework like SSDF is developed, the developers of the framework assume the organizations that follow it won’t be compelled to address provisions they believe don’t apply to them. That’s how risk management works). This and other questions will all need to be answered by CISA before the form is ready.

I'm sure CISA will be pressured to put in measurable compliance parameters, since only by doing so will federal agencies be enabled to determine whether or not a supplier has provided a valid attestation. However, each of these parameters is certain to be quite controversial. For example, consider the provision “Separating and protecting each environment involved in developing and building software” in the current form. If that were to survive in the new form, CISA would need to:

1.      Define “environment”. Presumably, it doesn’t refer to whether the devices that build the software are located in the desert vs. a big city (although that could certainly be part of the calculation). More importantly, what constitutes the border of this environment? Unless that’s clearly defined, the software developer might have to provide these protections to every device that’s on any of its networks, even if they’re properly segmented from each other.

2.      Define what measures constitute “Separating…each environment”. Does that mean just separating it from other networks? Does it mean the development network needs to be air-gapped from the rest of the world? And if that’s too drastic, what is at least an “adequate” level of separation?

3.      Define what measures constitute “protecting each environment”. Obviously, a single network firewall provides a good deal of protection, which is why just about every network on the planet has one today. Is that adequate protection? And if it is adequate, how does it have to be configured? If every rule reads “any/any”, is that enough? Certainly not! And if the single firewall isn’t enough protection, what is?

Those are just the first three questions that come to mind. I’m sure that, as they get answered, that will raise other questions, e.g. whether the internet routers are protected against DNS attacks. Some of these might be irrelevant, but the CISA staff won’t want to take any chances with this form, since if they leave out an important risk, they’ll be criticized for not being "tough enough" on suppliers (of course, some suppliers will always say they’re being too tough, no matter what CISA proposes. There simply isn't any happy medium).

Of course, I’m not recommending that any supplier wait a year before they create their attestation(s). They should all start on it as soon as the form is released by CISA (i.e. in five months, according to my estimate above). OMB isn’t going to make any substantive changes to the form, even if they have objections – they’ll send it back to CISA for remediation. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] Of course, the text says “no later than” three months, but I highly doubt the agencies are all going to start demanding attestations from their suppliers before that deadline, since the suppliers are likely to just laugh and point out that they have three months, and say they need every minute of it – which will probably be true.