On September 14, 2022, OMB released memorandum M-22-18, detailing requirements for federal agencies procuring software from producers. The memorandum highlights how all producers of software selling to federal agencies will be required to attest that they are following the secure development practices highlighted in NIST SP 800-218 and the NIST Secure Software Development Framework (SSDF). The timeline for this requirement is 365 days for most software and 270 days for software identified as critical by an agency.
Under the current guidance self attestations are allowed, but this will likely change in the future and require FedRAMP certified third-party assessment organizations (3PAO) to perform the attestation. If an organization cannot complete the attestation, they must document their gaps and a remediation plan in a Plan Of Actions and Milestones (POA&M). The receiving agency may then perform a risk assessment to determine whether the current deficiencies and remediation plan aligns with their risk appetite.
SCYTHE’s own Jim Webster put together this handy graphic displaying the timeline of responsibilities for federal agencies and CISA.
Figure 1: Timelines and responsibilities
SP 800-218 offers examples where validating security controls can be important, including PO 3.2, “continuously monitor tools and tool logs for potential operational and security issues, including policy violations and anomalous behavior.” Organizations will want to emulate a threat actor in the build environment to determine if their logging and monitoring controls would detect their presence. PO 5.1 (“Separate and protect each environment involved in software development”) and PO 5.2 (“Secure and harden development endpoints to perform development-related tasks using a risk-based approach”) offer additional security control guidance that should be verified using tooling such as an adversary emulation platform.
Figure 2: NIST 800-218, PO 5.2
If you are not confident that the security controls in your development environment (or any environment for that matter) are functioning optimally, reach out to SCYTHE to schedule a demo of our platform. If you prefer to have SCYTHE assist with your control validation or Purple Team assessments, SCYTHE offers professional services for organizations of any size or budget. SCYTHE wants to help organizations maximize the value of their security controls. After all, you want to know where you stand.