"The White House on Friday rescinded a 2022 order that mandated a single, standardized self-attestation form for federal agencies to obtain cybersecurity assurances from software vendors, arguing the policy hindered agencies from adopting security solutions for their specific system needs. "There is no universal, one-size-fits-all method of achieving that result," Office of Management and Budget Director Russ Vought said in the memo released Friday. "Each agency should validate provider security utilizing secure development principles and based on a comprehensive risk assessment.""
"A software attestation is typically a statement from a vendor outlining the security controls and development practices used to build a software product. It can assist government customers in understanding their exposure to supply-chain risk and clarify responsibility when vulnerabilities or breaches emerge. The "unproven and burdensome" process "diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware," the new Vought memo says."
The White House rescinded a 2022 order that required a single, standardized self-attestation form for software vendors, concluding the policy hindered agencies from adopting security solutions tailored to system needs. The guidance emphasizes that no universal, one-size-fits-all method exists and that each agency must validate provider security using secure development principles and comprehensive risk assessments. The original directive followed the May 2021 SolarWinds intrusion. A software attestation outlines vendor security controls and development practices to clarify supply-chain risk and responsibility. Agencies must inventory software and hardware, create tailored assurance policies, may use the government attestation, and can require SBOMs contractually.
Read at Nextgov.com
Unable to calculate read time
Collection
[
|
...
]