The White House released guidance Wednesday to ensure federal agencies use software that meets minimum security standards, part of a larger effort by the Biden administration to strengthen the security of the software supply chain.
The guidance, from the Office of Management and Budget, requires federal agencies to use third-party software that complies with National Institute of Standards and Technology guidelines.
Federal agencies will be required to get a self-attestation from the software producer before using the software in their departments, according to a memo from OMB Director Shalanda Young. The self-attestation will serve as a statement of conformance with NIST guidelines.
Agencies may also obtain artifacts from the software producer that demonstrate conformance with secure software development practices. This may include a software bill of materials.
Chris DeRusha, federal CISO and deputy national cyber director, outlined the new guidelines in a blog post.