United States of America: Issued OMB New Security Requirements for Federal Government Software Suppliers

On 14 September 2022, the Office of Management and Budget (OMB) issued new security requirements that all federal agencies have to ensure are met when procuring "critical software" from third parties. The Memorandum requires every federal agency to comply with National Institute of Standards and Technology (NIST) guidance when using third-party software. The software that fall under the guidance includes firmware, operating systems, cloud-based software, applications and application services. The Memorandum lists the steps each agency must take to ensure its compliance with secure software development practices, such as obtaining a self-attestation from the software producer for all third-party software used by the agency and obtaining certificates that demonstrate conformance with secure software development practices. In the absence of the self-attestation and certificate, the private entities will not be able to participate in any public tendering or be granted a public procurement. The requirement for agencies to develop guidelines for software vendors comes into force in 120 days following the adoption of the Memorandum. The obligation of agencies to collect in a centralised system cybersecurity attestation letters becomes applicable after 270 days.