The latest guidance (memo M-23–16) on EO 14028 offers several updates but most notably it extends the deadline for vendor attestation letters. Most anticipate an extension to the end of 2023 or beginning of 2024 at the latest. The memo also clarifies that the Agency CIOs determine if contractor developed software is “agency-software”; and, therefore out of scope. Lastly, it states that all attestation extension requests require a POA&M, otherwise the agency must discontinue use of the software. Lineaje offers solutions for EO 14028, check us out at lineaje.com to learn more.
On June 9, 2023, the US Government released new guidance, M-23-16, for the implementation of the Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity”. This memo provides several key clarifications, most notably extensions to the deadlines for software producers to submit attestations to the Federal Government.
As organizations strive for EO14028 compliance, our team at Lineaje, a software supply chain security company from Silicon Valley, is dedicated to developing solutions that assist software producers and agencies, alike.
Specifically, this memo (M-23-16) updates key aspects including:
1. Extending the Deadline for Software Producers to Provide Attestations
The memo M-23-16 extends the original deadlines for software producers to submit the EO conformity of attestation letters (based on requirements outlined in EO Guidance M-22-18).
According to the the update, software producers have three months for critical software, and six months for all software once the Attestation Letter is finalized and approved.
CISA has been aggressively pursuing the implementation of the EO and many speculate that CISA will move quickly; anticipating that the Attestation Letter will be finalized 1 to 2 months after the comment period closes on June 26, 2023. Requiring software producers to provide attestations by the end of the calendar year 2023 or at the latest by the beginning of 2024.
How Lineaje can help: We not only help create SBOMs (Software Bill of Materials) with the right dependency level depth and risk information but also automate generation of attestation letters which is immutably tied to the SBOMs. Lineaje enables software producers to tie multiple SBOMs to a single attestation letter, not just for products, but also for the SKUs software producers sell.
2. Clarifying Scope of What Types of Software Requires Attestations
This memo restates that the burden is placed on software producer of the end product to demonstrate that secure coding practices have been applied including “minimizing the risk third-party code”.
Freely obtained and publicly available software is out of scope — but must be identified correctly
The memo clarifies that agencies are not required to collect attestations for proprietary software that is freely obtained and publicly available. However, the memo reinforces that agencies are required to assess the risks of using such software and appropriately mitigate the risks. This implies that while agencies are not responsible for obtaining attestations from publicly available software — they are highly impacted by the inherent risks in the open source software they use.
How Lineaje can help: Lineaje helps organizations correctly identify their open source dependencies and reports on the inherent risks they drag in.
Is federal contractor developed software in scope? — it depends
The memo states that agency-developed software is considered out of scope; however, determining whether a federal contractor developed software under a federal contract is deemed “agency-software” — the answer is, it depends. According to the memo the agency CIO is responsible for determining if the software is “agency-developed”.
As previously noted in the original EO, organizations are required to identify all third-party and open source dependencies. They are also required to list any “Known Unknows” as part of their attestations.
If the dependencies are deemed too risky by the agencies (even though software producers think they are acceptable),agencies may not be able to use their software.
How Lineaje can help: Lineaje provides EO 14028 and SLSA attestations and compliance checks for software producers — with simple extensions for software that is built by either agency or federal contractors to help automate their processes.
3. Guidance on use of POA&Ms by Software Producers
If a software producer cannot attest to the practices outlined in the attestation letter an agency may still use the software but requires a POA&M (Plan Of Actions and Milestones) and risk mitigations.
A POA&M is a formal “living document” agreed to by the software producer and agency, listing when and how the software producer will conform to the requirements, and what actions it will take to mitigate risks.
How Lineaje can help: With our “Publish” mechanism software producers can easily publish SBOMs, attestations, vulnerability disclosure reports and POA&Ms across the entire software portfolio, enhancing transparency and compliance with the agencies that use their software.
Conclusion
In summary, the government has extended the deadline for Attestation Letters, but remains firm on their continued commitment to holding software producers accountable for the security of their products.
Lineaje offers a solution. With our EO14028 compliance automation, independent assessments, and secure sharing of Attestations, vulnerability disclosure, POA&Ms, and artifacts, we help software producers and agencies achieve EO14028 compliance before the deadlines.
Visit Lineaje.com to learn more and contact us today.