White House: U.S. agencies have 90 days to create inventory of all software

The White House released new guidance this week ordering federal agencies to create a full inventory of the software they use within 90 days. 

In a letter to all heads of executive departments and agencies, White House Office of Management and Budget (OMB) director Shalanda Young said a wide-ranging cybersecurity executive order handed down last May by President Joe Biden directed the National Institute of Standards and Technology (NIST) to publish guidance on how the agencies can better protect government systems through more secure software.

Now that NIST has finished creating its guidance, the OMB wants all agencies to implement it for any third-party software used with an organization’s computer systems. The rules do not apply to software developed by agencies themselves.

One of the key tenets of the NIST guidance is having agencies ask the producers of software to show they have followed a “risk-based approach for secure software development,” and agencies are now banned from using software that does not comply with the NIST guidelines.

The software vendors will need to send agencies a “self-attestation” letter about the product’s security features, recent changes and more. The vendors also have to attest to following “secure development practices.”

In addition to the 90-day deadline for creating an inventory of all software used, agency chief information officers have 120 days to build out a process for communicating the new requirements to software vendors. Within 270 days, agencies need to collect letters from vendors about "critical" software. Agencies will need to have letters from vendors about all software — critical and otherwise — by next September. 

The letter gives agency CIOs one more task: they have six months to train employees to validate what the software companies claim in their letters. Any extensions to the timelines need to be applied for within 30 days of the deadline.

Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director, said it is important for agencies to embark on this process because they handle “everything from tax returns to veteran’s health records.”

DeRusha specifically cited the SolarWinds scandal as one of the reasons why the effort was paramount for agencies, noting that the 2020 incident saw several federal agencies and corporations compromised by malicious code that was added into SolarWinds software.

The small change created a backdoor into the digital infrastructure of federal agencies and private sector companies.

“This incident was one of a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector,” DeRusha said.

He added that the goal of the effort is to ensure that “millions of lines of code that underpin Federal agencies’ work are built with industry security standards in place.”

Young, the OMB director, said these tasks are part of a larger effort to get agencies to regularly use NIST guidance when choosing what software to use.

Young also outlined a process where the “self-attestation” letters from vendors can be supplemented or replaced by a third-party assessment provided by a federally-certified organization or government agency.

The letter to agencies adds that they can require a Software Bill of Materials (SBOMs) — an ingredient list of parts that make up a piece of software.

In recent months, the Cybersecurity and Infrastructure Security Agency (CISA) has led an industry-wide push to make SBOMs a common part of releasing any piece of software, with the hope that the practice will make it easier to find potentially vulnerable features. Cybersecurity experts and lawmakers say that SBOMs would make it easier for organizations to deal with issues like the Log4j vulnerability uncovered in December 2021, because it would help identify whether they're at risk and how to mitigate the threat.

OMB is working with CISA and the General Services Administration to create a centralized repository for software attestations. CISA was also given a range of tasks to complete over the next year that include creating some of the guidelines agencies will need to follow going forward. 

DeRusha explained that the guidance released this week was created with input from the public and private sector as well as academia. It will make it easier for federal authorities to quickly identify security gaps when new vulnerabilities are discovered, he added.

“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” DeRusha said. “With the cyber threats facing Federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”

"Long Overdue"

Rick McElroy, principal cybersecurity strategist for VMware, told The Record that while the timeline “seems aggressive,” all of the goals listed in the advisory are “worthy and long overdue.”

He added that it will have a major impact on any provider of technology services or software to governmental agencies, noting that suppliers will now need to be prepared to respond to the requirements outlined. 

Additionally, because the government spends billions of dollars on software, the requirements might have a downstream effect — software developers might decide to offer these features to regular customers.

Immersive Labs’ Kev Breen explained that executives’ focus on rapidly shipping new products to market means that cybersecurity is not always the top priority, potentially exposing companies to millions in lost revenue and damaged brand reputations.

Former Obama administration cybersecurity commissioner Tom Kellermann told The Record that software supply chains are now under siege thanks to a deluge of cybercriminals and spies specifically targeting software development, integration, and delivery infrastructure.

“Given the sophistication of recent software supply chain cyberattacks, ensuring software integrity is paramount to protecting Federal systems systemic cyberattacks,” he said. 

DeRusha said the software changes are part of a larger effort by the Biden-Harris Administration to modernize agency cybersecurity practices, improve detection and response to threats as well as “quickly investigate and recover from cyberattacks.”

“The guidance released today will help us build trust and transparency in the digital infrastructure that underpins our modern world and will allow us to fulfill our commitment to continue to lead by example while protecting the national and economic security of our country,” he said.