Newest Software Cybersecurity Rule Draws Jeers from Agencies

A cybersecurity rule coming later this year on federal software purchases has elicited objections from agency contracting offices and vendors.

The rule will require agencies to obtain “self-attestation letters” from software vendors declaring a product adheres to National Institute of Standards and Technology guidance.

Joanne Woytek, NASA program manager for the governmentwide acquisition contract known as SEWP, said the impetus behind the rule is “admirable” but it needs to be made “scalable and doable.”

Federal Acquisition Regulation officials are still considering the proposed rule, but the General Services Administration said it will start collecting attestations by mid-June.

GSA is in the process of developing training on the new rule and “anticipates a forthcoming FAR rule will provide definitive instructions for the requirements of the attestation at the contract level.” The agency plans to use a Cybersecurity and Infrastructure Security Agency form that it expects to be available before June on GSA’s website.

Federal program managers expressed confusion around whether they will also need to collect attestation letters and whether the rule will be possible to begin with.

“I don’t know how that can possibly work,” Woytek said at a GovExec event Monday. “But we’re going to work as best we can, working with GSA and NIST and others to determine what this policy means and how it might actually operate in a world in which there is not 10 companies but many thousands of companies selling software.”

“Some of them are in the US. Some of them are big, many of them are two or three people,” she added, describing the kinds of companies that list software products on SEWP. “Most of them don’t know how to spell NIST. So if we expect them to know how to do this software attestation, how’s it even work?”

Crossing Fingers There’s an Easy Plan

Kanitra Tyler, a program manager at NASA, said “my fingers, my eyes, my toes, and everything else that I can cross is crossed” that companies will make attestations publicly available, or that CISA will maintain a document repository so that NASA doesn’t have to do its own collection.

“We are now having full workshops to figure out how we’re going to operationalize that,” Tyler said of the prospect of NASA doing its own collection.

The Information Technology Industry Council also took issue with the pending rule in a letter to Office of Management and Budget Director Shalanda Young in November. The information and communications technology trade association urged OMB to use a single standardized form for all agencies and consider piloting the program before requiring it, among other suggestions.

Jaimie Clark, senior advisor and lead program manager at OMB’s Federal Acquisition Security Council, said at the event Monday that the goal right now is “understanding if there’s a way to clarify and provide some additional information and the answers that are going to be helpful.”

The secure software attestation rule originated with an executive order from President Joe Biden in 2021 on “Improving the Nation’s Cybersecurity,” calling on OMB to recommend language for updating federal procurement rules. It is a response to the SolarWinds attack, a breach of federal systems through SolarWinds software in 2020 that went undetected for months.

To contact the reporter on this story: Josh Axelrod in Washington at jaxelrod@bloombergindustry.com

To contact the editors responsible for this story: Amanda H. Allen at aallen@bloombergindustry.com; Jay-Anne B. Casuga at jcasuga@bloomberglaw.com