Software security

NIST Advisory Board Member Raises Concerns About Accepting Security Self-Attestation From Software Vendors

Brett Baker, inspector general for the U.S. Archives and Records Administration, did not agree with the Office of Management and Budget’s memorandum that introduces a self-attestation security policy for software purchased by federal agencies. Baker, a member of the National Institute of Standards and Technology’s Information Security Privacy Advisory Board, believes agencies should not rely on the security promises of vendors. He made the statement on the sidelines of a board meeting on Wednesday, during which participants were briefed on the OMB’s decision, Nextgov reported.

The M-22-18 memo was issued to agencies under Executive Order 14028 in the wake of the SolarWinds IT management software breach. SolarWinds suffered a large-scale cyberattack in 2020 believed to have been perpetrated by hacking group APT29. Using stolen Microsoft 365 credentials, the group compromised SolarWinds’ infrastructure, resulting in data breaches in multiple federal agencies and the private sector.

“You can’t just trust vendors, we have to stop that,” Baker said, noting that testing should be performed to ensure cybersecurity standards are met.

OMB’s memo was released after NIST issued secure software guidelines in February in response to the Solarwinds breach. NIST urged federal procurement officials to be careful in accepting self-attestation from software vendors.

Under the memo, vendors should submit a self-attestation form to be developed by the Cybersecurity and Infrastructure Security Agency. Mitch Herckis, the OMB official delivering the briefing, explained that the form should be signed by senior professionals within the companies. “It is something that I would hope software producers are taking relatively seriously before signing on that bottom line,” Herckis said.

Similar to NIST guidelines, the OMB document also encouraged agencies to determine whether a third-party security assessment is needed.

Steve Lipner, the executive director of SafeCode and the chair of the NIST advisory board, noted that SolarWinds underwent a third-party assessment prior to the software breach. He believes, however, that attestations can be used to hold vendors publicly accountable.