6756
Federal Register / Vol. 90, No. 11 / Friday, January 17, 2025 / Presidential Documents
|
(i) Within 30 days of the date of this order, the Director of OMB, in consultation with the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), and the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), shall recommend to the Federal Acquisition Regulatory Council (FAR Council) contract language requiring software providers to submit to CISA through CISA’s Repository for Software Attestation and Artifacts (RSAA):
(A) machine-readable secure software development attestations;
(B) high-level artifacts to validate those attestations; and
(C) a list of the providers’ Federal Civilian Executive Branch (FCEB) agency software customers.
(ii) Within 120 days of the receipt of the recommendations described in subsection (b)(i) of this section, the FAR Council shall review the recommendations and, as appropriate and consistent with applicable law, the Secretary of Defense, the Administrator of General Services, and the Administrator of the National Aeronautics and Space Administration (the agency members of the FAR Council) shall jointly take steps to amend the Federal Acquisition Regulation (FAR) to implement those recommendations. The agency members of the FAR Council are strongly encouraged to consider issuing an interim final rule, as appropriate and consistent with applicable law.
(iii) Within 60 days of the date of the issuance of the recommendations described in subsection (b)(i) of this section, the Secretary of Homeland Security, acting through the Director of CISA, shall evaluate emerging methods of generating, receiving, and verifying machine-readable secure software development attestations and artifacts and, as appropriate, shall provide guidance for software providers on submitting them to CISA’s RSAA website, including a common data schema and format.
(iv) Within 30 days of the date of any amendments to the FAR described in subsection (b)(ii) of this section, the Secretary of Homeland Security, acting through the Director of CISA, shall develop a program to centrally verify the completeness of all attestation forms. CISA shall continuously validate a sample of the complete attestations using high-level artifacts in the RSAA.
(v) If CISA finds that attestations are incomplete or artifacts are insufficient for validating the attestations, the Director of CISA shall notify the software provider and the contracting agency. The Director of CISA shall provide a process for the software provider to respond to CISA’s initial determination and shall duly consider the response.
(vi) For attestations that undergo validation, the Director of CISA shall inform the National Cyber Director, who shall publicly post the results, identifying the software providers and software version. The National Cyber Director is encouraged to refer attestations that fail validation to the Attorney General for action as appropriate.
(c) Secure software development practices are not sufficient to address the potential for cyber incidents from resourced and determined nationstate actors. To mitigate the risk of such incidents occurring, software providers must also address how software is delivered and the security of the software itself. The Federal Government must identify a coordinated set of practical and effective security practices to require when it procures software. (i) Within 60 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop
|
