United States of America: Issued OMB Update to Memorandum M-22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices

On 9 June 2023, the Office of Management and Budget (OMB) issued an Update to Memorandum M-22-18 for the heads of executive departments and agencies, enhancing the Security of the Software Supply Chain through Secure Software Development Practices. The memorandum reinforces the requirements outlined in M-22-18, emphasising the significance of implementing secure software development practices and extending the timelines for government agencies to gather attestations from software producers. Agencies must collect attestations for critical software within three months after the OMB approves the common form attestation. Within six months of OMB's approval, agencies must collect attestations for all software subject to the requirements of M-22-18. Furthermore, regarding the scope of M-22-18's requirements, attestations should be collected from the producer of the software end product used by an agency. OMB will prioritise extension requests for software products shared among multiple agencies, designating a lead agency for coordination and progress oversight. In any instance where there is a conflict between the provisions of this memorandum and M-22-18, the guidelines stated in this memorandum take precedence.