ANNOUNCEMENT: Get Software Supply Chain Accountability with a Software Bill of Materials (SBOM).

Response to Executive Order 14028 Section 4

Executive Order 14028, Section 4, “Enhancing Software Supply Chain Security”, requires “Software Producers”, vendors who sell software to the United States government, to maintain secure development environments and trusted source code supply chains in compliance with NIST Secure Software Development Framework (SSDF) standards.  

Software producers must track the provenance of the source code and components in their software supply chains, track all vulnerabilities, remediate vulnerabilities prior to each new release, and participate in vulnerability disclosure programs, and they must provide auditable reports of these activities, and provide a software bill of materials (SBOM) and other artifacts upon request.

Federal agencies, referred to as “Software Purchasers”, are required to obtain an Attestation of Conformity or Conformity Assessment from “Software Producers” prior to implementing new software.  In other words, federal agencies may not continue to use existing software or purchase future software applications without the corresponding vendor’s self-attestation.  

In addition, Software Purchasers or federal agency may request that Software Producers provide attestation artifacts as evidence of conformity, including a Software Bill of Material (SBOM). SBOM’s can be useful to determine whether software possesses additional risk consideration pertinent to the federal agency, such as:  dependency risks, vulnerabilities, foreign influence, and more.

To ensure compliance and the continued use of critical applications and software is uninterrupted, the federal agency should inform its software vendors of this emerging requirement.  While this regulation is not currently enforceable, it is anticipated that the Common Attestation Form the resulting requirement will be become mandatory in first quarter of 2024.

Software Purchasers

We've created a checklist to help you prepare for EO 14028 Section 4 compliance!

This includes:

  • Preparation Checklist
  • Inventory Software Checklist
  • Tips to Identify Critical Software
  • Software Security Risk Solution Information

How Do Federal Agencies Comply?

The Federal Agency must receive a current and completed Software Producer’s Attestation Form for any critical software that has been developed after September 14, 2022.  Currently, DHS CISA is seeking feedback on supplier’s self-attestation document that the federal agency must receive prior to utilizing the software subject EO14028.  The current draft form can found here.  

If the Software Producer does not provide a completed Attestation form, they must submit a third-party assessment documenting conformance to the NIST SP 800-218 Secure Software Development Framework (SDF) version 1.1.  The only acceptable third-party assessment must be performed by a Third-Party Assessor Organization (3PAO) that has been FedRAMP certified or approved in writing by an appropriate federal agency official.  Fortress has been officially recognized by TVA as its third-party assessment organization.    The assessment form must either be posted on the Software Producer’s website or emailed to the federal agency point of contact.  

In the event the Software Producer cannot demonstrate compliance via the form or the third-party assessment, they must submit a plan of action and milestones (POA&M) to the agency.  The federal agency must either accept or reject the POA&M.  A rejected or non-approved POA&M will interrupt the continued use or purchase of the in-scope software.

How Do Software Producers Comply?

The Software Producer must comply with each agency’s request to demonstrate compliance to EO14028.  The Attestation, Assessment or POA&M must be filed for each application used by the requesting federal agency.  In most cases, the federal agency will be proactive in corresponding with the Software Producer to inform them of the requirement and to provide them with ample time to provide the attestation, assessment results or POAM.  However, there will be circumstances that the federal agency may not always properly inform the software producer and may pressure the producer to complete the required information in short order.  To minimize the impact and disruption to the supplier, it is recommended that the supplier proactively and successfully complete the Common Attestation Form.

If the Software Producer does not provide a completed Attestation form, they must submit a third-party assessment documenting conformance to the NIST SP 800-218 Secure Software Development Framework (SDF) version 1.1.  The only acceptable third-party assessment must be performed by a Third-Party Assessor Organization (3PAO) that has been FedRAMP certified or approved in writing by an appropriate federal agency official.  Fortress has been officially recognized by TVA as its third-party assessment organization.    The assessment form must either be posted on the Software Producer’s website or emailed to the federal agency point of contact.

In the event the Software Producer cannot demonstrate compliance via the form or the third-party assessment, they must submit a plan of action and milestones (POA&M) to the agency.  The federal agency must either accept or reject the POA&M.  A rejected or non-approved POA&M will interrupt the continued use or purchase of the in-scope software.

DHS CISA's Secure Software Self-Attestation Common Form

On November 16, 2023, CISA in accordance with Executive Order 14028 and the Office of Management and Budget’s (OMB) guide in OMB M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, released through regulations.gov a 30-day Request for Comment on draft Secure Software Development Attestation Common Form.

CISA