NASA Official Sees Possible Delay to Vendor Self-Attestations on Software Security

Joanne Woytek, director of NASA’s Solutions for Enterprise-Wide Procurement contract vehicle, said that workforce and resource shortages could delay the collection of vendor self-attestations to the security of software used by federal agencies. Speaking at a recent conference, she said that NASA SEWP and several other organizations lack the proper staff to implement the policy, which was mandated by an Office of Management and Budget memorandum.

OMB developed a standard self-attestation form alongside the Cybersecurity and Infrastructure Security Agency, which is tasked with creating a data hub compiling all the collected documents.

The government is tasked with collecting self-attestations from critical software providers by a June deadline, while self-attestations from other vendors are due in September.

According to Woytek, discussions could happen with OMB regarding a potential extension, FCW reported.

The Information Technology Industry Council sent a petition to OMB Director Shalanda Young in a bid to obtain clarification on the self-attestation collection process. The group, which represents firms such as Amazon and Google, recommended that a pilot run be conducted.

Brett Baker, a member of the National Institute of Standards and Technology’s Information Security Privacy Advisory Board, told Nextgov during an October 2022 briefing on the OMB memo that the government cannot rely on software vendor assurances.