White House cyber memo compels vendors to attest software meets security standards

Federal agencies will have 120 days to develop a consistent process for collecting cybersecurity assurance from software providers.
(Getty Images)

Federal agencies will have to obtain self-attestation from software providers before deploying their software on government systems, according to a new memo issued Wednesday by the White House.

Under the guidance, federal departments must ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements and get proof of conformance from vendors.

The memo represents the latest policy initiative from the White House as the executive branch works to rapidly improve cybersecurity standards across federal agencies. FedScoop previously reported details of the forthcoming guidance, which has raised concern among technology industry leaders.

The Biden administration has introduced an array of new measures to ensure agencies modernize their cyber defenses and implement zero-trust architectures since the publication of its cybersecurity executive order in May 2021.


This June, industry executives canvassed by FedScoop expressed a strong preference that the White House pursue a self-attestation requirement rather than a third-party verification process along the lines of the Pentagon’s troubled Cybersecurity Maturity Model Certification.

According to the new memo from the Office of Management and Budget, federal agencies within 90 days will have to inventory all software and create a separate inventory for critical software.

Within 120 days of the memo, agencies must also develop a consistent process for communicating relevant requirements and collect letters of attestation from software providers.

OMB will enforce the new guidance and manage extension requests for the implementation timeframe. It will also work with the Cybersecurity and Infrastructure Security Agency and the General Services Administration to establish requirements for a central repository for software attestations and artifacts.

A copy of the new memo was first obtained by The Washington Post.

John Hewitt Jones

Written by John Hewitt Jones

John is the managing editor of FedScoop, and was previously a reporter at Institutional Investor in New York City. He has a master’s degree in social policy from the London School of Economics and his writing has appeared in The Scotsman and The Sunday Times of London newspapers.

Latest Podcasts