NASA SEWP director echoes concerns over looming deadlines for software providers
Federal agencies have until September to collect self-attestation forms from software providers before deploying their products on government systems – and most people aren’t ready, according to a top acquisition official.
A program manager for one of the largest federal information technology contract vehicles expressed doubt Monday that agencies will successfully obtain the self-attestation forms needed for all software products deployed on their systems ahead of a looming September deadline.
Joanne Woytek, program manager of NASA's Solutions for Enterprise Wide Procurement contract, said implementing a new White House acquisition rule that requires software vendors to confirm the security of their products was "not as simple as it sounds," while citing government-wide staffing and resourcing challenges.
“I don’t know what’s going to happen by September,” Woytek said at a summit hosted by NASA SEWP on managing government risk at scale. “We’re either going to find some magic wand that makes it happen, or we’re going to have some discussions with the [Office of Management and Budget] and figure out when this can happen.”
Woytek's remarks come as federal agencies face a June deadline to collect self-attestation forms from "critical software providers," and a Sept. 14 deadline to collect the forms from all software providers on their networks.
The 2022 memo instructed agencies to collect a standardized self-attestation form from all software vendors before deploying their products, with the goal of the Cybersecurity and Infrastructure Security Agency developing a central repository to maintain that information. Vendors can also provide confirmation that they will work to achieve compliance with guidance from the National Institute of Standards and Technology around secure software development.
The memo was drafted in part as response to the 2021 SolarWinds hack, where attackers breached a software contractor and uploaded malware to a software update that found its way onto multiple federal agency networks.
Industry groups have also expressed concerns about the deadline, including the Information Technology Industry Council, which called on the White House to provide further clarification on the OMB memorandum issued last year.
Many cybersecurity professionals agree that self-attestation forms and software bills of material, or SBOMs, are critical components in ensuring a software service or product was developed in compliance with NIST guidance.
But others have argued against setting requirements and deadlines for their implementation, saying that some federal agencies and technology buyers have not yet discovered how to leverage SBOMs and self-attestations to better protect their systems.
While the goal of the memorandum was to expand and streamline government cybersecurity oversight, Woytek suggested NASA SEWP and many others were unprepared for its implementation.
“I don’t have a self-attestation staff,” she said. “So yes, it’s crazy. But it is a policy, and we have to do what we can to figure it out with the help, hopefully, of the other agencies who are most in line to do something about it.”