Biden's Cybersecurity Order: OMB's Action Plan for Federal Software Security

[{"selector":"#anim-2269be03-a53f-4d08-969f-731492898422","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-adeb1783-438e-474f-9ea0-1f931db7c80e","keyframes":{"opacity":[0,1]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d290a44a-60de-4fbb-9da8-a4aedadeca56","keyframes":{"transform":["translate3d(0px, 213.54497%, 0)","translate3d(0px, 0px, 0)"]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] The US OMB has released new guidance for federal agencies to acquire security guarantees from software vendors

[{"selector":"#anim-f998f8f6-ce70-40e8-8df0-00d36df4846a","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-23ab9c4a-05ed-4261-8770-4f01fd632576","keyframes":{"opacity":[0,1]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f8f0de46-dc0f-4573-9169-99c151d13222","keyframes":{"transform":["translate3d(0px, 250.68783%, 0)","translate3d(0px, 0px, 0)"]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] The guidance builds upon President Biden's cybersecurity executive order and a previous directive (M-22-18) from last year

[{"selector":"#anim-3f503329-b4a5-4949-a9d6-9b25e6a77c0b","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-38b645e2-6c0a-4e8a-9517-46eb76a9ba17","keyframes":{"opacity":[0,1]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f9a10d38-7dc8-4cd2-86dc-efae1c41abd5","keyframes":{"transform":["translate3d(0px, 254.49736%, 0)","translate3d(0px, 0px, 0)"]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] Vendors must provide guarantees for software developed after September 14, 2022, and major updates or continuous service updates

[{"selector":"#anim-04ccd3ca-e98a-4cb6-a061-b663db9c4de0","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-532220ce-92df-4a1c-a8c7-931bfecbd38e","keyframes":{"opacity":[0,1]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-cafe760a-ecfb-4c19-889e-02a9ca87ed15","keyframes":{"transform":["translate3d(0px, 252.59263%, 0)","translate3d(0px, 0px, 0)"]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] Attestations can include self-attestation forms, software bill of materials (SBOM), and running a vulnerability disclosure program

[{"selector":"#anim-4a462a32-3cdb-428e-a9c3-927189c54c69","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-4708d042-8de5-4aef-b435-a261e1b08bd5","keyframes":{"opacity":[0,1]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-10ae3ba3-ffd4-4dc9-9585-f27eb028b13a","keyframes":{"transform":["translate3d(0px, 250.68783%, 0)","translate3d(0px, 0px, 0)"]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] The latest memorandum (M-23-16) reiterates the directives and extends the deadline for agencies to receive attestations

[{"selector":"#anim-91712bd7-da67-47bb-b8fe-10fecce0f003","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c11bf3a2-0544-4a6c-8c34-bbb0538fce73","keyframes":{"opacity":[0,1]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-164199ba-80b7-40c7-ad47-0dfa6abe39fc","keyframes":{"transform":["translate3d(0px, 200.91891%, 0)","translate3d(0px, 0px, 0)"]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] Agencies need to evaluate the risk of freely obtained and publicly available proprietary software and attestations are required for contractor-deployed software

[{"selector":"#anim-7a23b13d-784e-4a98-ba30-4a1a9fa0a33f","keyframes":{"opacity":[0,1]},"delay":0,"duration":2000,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-396bc2b4-5550-4304-b771-16ecb57ba767","keyframes":{"opacity":[0,1]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-00d9f376-ad79-414c-88df-b47cebaa112f","keyframes":{"transform":["translate3d(0px, 188.88887%, 0)","translate3d(0px, 0px, 0)"]},"delay":150,"duration":1001,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] If a vendor can't provide an attestation, agencies can request an extension if they provide documentation on non-compliant practices

Sectrio's global threat report

Biden's Cybersecurity Order: OMB's Action Plan for Federal Software Security

Sectrio's global threat report

Explore Sectrio's global threat report to learn more about OT/ICS & IoT cybersecurity challenges and best practices