|
guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).
(ii) Within 90 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, shall update NIST Special Publication 800–53 (Security and Privacy Controls for Information Systems and Organizations) to provide guidance on how to securely and reliably deploy patches and updates.
(iii) Within 180 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall develop and publish a preliminary update to the SSDF. This update shall include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself. Within 120 days of publishing the preliminary update, the Secretary of Commerce, acting through the Director of NIST, shall publish a final version of the updated SSDF.
(iv) Within 120 days of the final update to the SSDF described in subsection (c)(iii) of this section, the Director of OMB shall incorporate select practices for the secure development and delivery of software contained in NIST’s updated SSDF into the requirements of OMB Memorandum M–22–18 (Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) or related requirements.
(v) Within 30 days of the issuance of OMB’s updated requirements described in subsection (c)(iv) of this section, the Director of CISA shall prepare any revisions to CISA’s common form for Secure Software Development Attestation to conform to OMB’s requirements and shall initiate any process required to obtain clearance of the revised form under the Paperwork Reduction Act, 44 U.S.C. 3501 et seq.
(d) As agencies have improved their cyber defenses, adversaries have targeted the weak links in agency supply chains and the products and services upon which the Federal Government relies. Agencies need to integrate cybersecurity supply chain risk management programs into enterprise-wide risk management activities. Within 90 days of the date of this order, the Director of OMB, in coordination with the Secretary of Commerce, acting through the Director of NIST, the Administrator of General Services, and the Federal Acquisition Security Council (FASC), shall take steps to require, as the Director deems appropriate, that agencies comply with the guidance in NIST Special Publication 800–161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800–161 Revision 1)). OMB shall require agencies to provide annual updates to OMB as they complete implementation. Consistent with SP 800–161 Revision 1, OMB’s requirements shall address the integration of cybersecurity into the acquisition lifecycle through acquisition planning, source selection, responsibility determination, security compliance evaluation, contract administration, and performance evaluation. (e) Open source software plays a critical role in Federal information systems. To help the Federal Government continue to reap the innovation and cost benefits of open source software and contribute to the cybersecurity of the open source software ecosystem, agencies must better manage their use of open source software. Within 120 days of the date of this order, the Secretary of Homeland Security, acting through the Director of CISA, and the Director of OMB, in consultation with the Administrator of General Services and the heads of other agencies as appropriate, shall jointly issue recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects. Sec. 3. Improving the Cybersecurity of Federal Systems.. (a) The Federal Government must adopt proven security practices from industry—to include |
Page:Executive Order 14144.pdf/3
Federal Register / Vol. 90, No. 11 / Friday, January 17, 2025 / Presidential Documents
6757
