Trade Org Urges OMB to ‘Harmonize’ Secure Software Development Practices

The Information Technology Industry Council, or ITI—a technology trade association—sent a letter to the White House’s Office of Management and Budget Monday asking the agency to “harmonize” secure software development practice requirements across the federal government via a standardized rulemaking process. 

In particular, ITI wants OMB to clarify its September memorandum, which serves as a guide for the heads of executive departments and agencies to help implement requirements in the May 2021 executive order on cybersecurity.

According to the letter, the memorandum is unclear and confusing, and, since there is no Federal Acquisition Regulation rule requiring industry to comply with it, requirements could be applied differently across and within agencies.

“The memorandum is an important milestone in securing the software development process,” Gordon Bitko, executive vice president of policy for public sector at ITI, said. “Software producers face significant barriers, including ambiguous terminology, confusing timelines and the potential for regulatory fragmentation. We are concerned that these requests will be applied differently across the government, even within agencies. This creates ambiguity and may ultimately delay progress towards the government’s software security goals.”

The letter, sent to OMB Director Shalanda Young, provides OMB with several recommendations to further the government’s progress for secure software development as the agency works on implementing the cybersecurity executive order. 

“We believe the best way to achieve the government’s goal of establishing repeatable, scalable processes that support the adoption of securely developed software is through the established regulatory process under the Administrative Procedure Act,” the letter stated. “To support the effective and consistent implementation of the government’s cybersecurity objectives, we call upon OMB to use its role in establishing cross-government objectives and timelines for the rollout of secure software development lifecycle requirements to maximize harmonization and built-in flexibility while software producers work to comply with new guidance on short notice.”

In particular, ITI urged OMB to:

• Better define the requirement to utilize a standard form for all agencies, with the ability to request addendums for unique mission needs.

• Deter agencies from mandating artifacts until the software bill of materials are “scalable and consumable.”

• Fix the implementation timeline to allow for a standardized rollout through the current regulatory process.

• Look at a pilot for collecting attestations and artifacts for the memorandum before requiring them.

• Utilize the overlap with current processes as much as possible to avoid adding more complications.