2 minute read
Software for Federal Agencies New Orders and Their Downstream Impact
By Jason Kane, CPA, CISA, and Ted Lucas, CPA
Cybersecurity has become a growing national threat in the United States. According to the Cybersecurity and Infrastructure Security Agency (CISA), 47% of American adults have had their personal information exposed by cyber criminals. In May 2021, this threat was recognized by the Biden Administration when Executive Order 14028 was issued, which covered Improving the Nation’s Cybersecurity.
Some of the directives in the order included implementing stronger security standards in the federal government, creating a cyber safety review board, developing a standard playbook to respond to cyber incidents, and improving software supply chain security.
In Sept. 2022, as a follow up to the Executive Order, a memo was sent out to the heads of Executive Departments within the government and federal agencies stating that federal agencies are required to use only software that is compliant with the NIST 800-218 guidance (Secure Software Development Framework).
Additionally, it is now required that software producers selfattest or obtain attestation from a third party that their software is compliant with the framework prior to a federal agency’s use of the software. Self-attestation will entail completing a form and checklist, where each requirement stated within NIST 800-218 will be listed.
Requirements
NIST 800-218 has over 40 requirements spanning four different areas of focus for companies that produce software. Some of the requirements include:
• Having written policies and procedures over software development practices
• Configuring tools to generate artifacts in support of software development
• Securing access to any code by the principle of least privilege
• Using risk modeling in the software development process
• Creating a baseline of security requirements for developed software
• Having a vulnerability disclosure and analysis policy, and to analyze the root cause of any identified vulnerabilities
Timeline
Compliance and self-attestation will be required before the end of 2023. The self-attestation form for software producers was posted in Jan. 2023. For software deemed critical, selfattestation is required by June 11, 2023, and by Sept. 14, 2023, for all software used by federal agencies.
Downstream Impact
Required Federal Agency compliance with the NIST Guidance will have an impact on software producers on a more global scale. As time elapses and agencies start using different software solutions, or even perform vendor due diligence over potential software vendors, it will become a requirement and an attraction for more software producers to be compliant with NIST 800-218.
Due to this necessity on the federal agency side, NIST 800218 requirements may trickle down into non-federal agency software vendors. This should generally be received as positive news for the users of software, including spring manufacturers with proprietary information that should be kept secure. As more software becomes cloud-based and more responsibilities of running the software become the responsibility of the software producer, users and companies can have stronger peace of mind knowing that their data is secure, as assessed against an established framework. n
Ted Lucas is a partner in Marcum LLP’s Hartford, Connecticut, office. Lucas has more than 20 years of experience conducting and performing audits and reviews for both publicly traded and privately held companies in the manufacturing, technology, retail, real estate, construction and alternative energy industries. In addition, Lucas serves as treasurer and a member of the board of directors for NESMA. For more information, email Ted.Lucas@marcumllp.com.
Jason Kane is manager in the Marcum LLP’s Boston, Massachusetts, office. Kane is a supervisor in the firm’s risk advisory and consulting practice with nearly 10 years of professional experience in a wide range of client services. Kane’s portfolio of clients spans several industries including technology, pharmaceuticals, manufacturing, retail, banking and health care. For more information, email Jason.Kane@marcumllp.com.
