The Office of Management and Budget invites comments through a set of questions inform the implementation of National Institute of Standards and Technology guidelines detailing best practices for improving the software supply chain security in accordance with a executive decree on cybersecurity signed in May 2021.
On February 4, NIST released the Secure software development framework and Software Supply Chain Security Guidance to ensure the security of software purchased by federal agencies, the OMB said Monday.
The executive order directs the OMB to require agencies to implement the SSDF and related guidelines. However, OMB will seek private sector input on how to implement the guidelines before asking agencies to require vendors to certify compliance with secure software development practices.
OMB asks stakeholders to describe the ideal process for agencies to secure and maintain attestation documents for purchased software and provide examples of conformity assessment systems, procedures and tools that should be considered for applicability to the SSDF, among others.
Answers to questions are expected on March 18.
NIST will hold a virtual workshop on March 23 to assist the OMB in obtaining information from stakeholders to inform the development of implementation guidelines for the purchase of secure software by federal agencies.