Chris DeRusha, federal chief information security officer at OMB and deputy national cyber director, wrote in a blog post published Wednesday the OMB memo was developed using insights from academia and public and private sectors.
DeRusha, a previous Wash100 Award winner, said the document “directs agencies to use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.”
According to the memo, federal agencies should comply with the National Institute of Standards and Technology’s guidance when using third-party software on government information systems.
Within 90 days of the memo’s issuance, agencies should conduct an inventory of all software, including a separate inventory for “critical software.”
The OMB guidance document also directs agencies to come up with a process to communicate relevant requirements to vendors and ensure that attestation letters are gathered in one system.