National Institute of Standards and Technology (NIST)

On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Office of Management and Budget (“OMB”) released the highly-anticipated Secure Software Development Attestation Form (also known as the “Common Form”) and on March 18, 2024 CISA’s repository for the forms went live.Continue Reading CISA Opens Repository for Submission of Software Security Attestation Forms

The Cybersecurity and Infrastructure Security Agency (“CISA”) recently revised its Secure Software Development Attestation Common Form (after receiving over 110 comments on the initial draft), and is seeking additional comments through December 18, 2023. This is an important opportunity for software producers (and others) to provide input that will help shape the future of software supply chain regulations. At a time when the federal government is struggling to harmonize myriad rules on cybersecurity and supply chain, recommendations from industry will be key.Continue Reading Update: CISA Seeks Additional Input from Software Providers on Security Attestation Form

On July 18, 2023, the Biden Administration announced the launch of the long-awaited cybersecurity labeling program, called the “U.S. Cyber Trust Mark,” aimed at providing consumers with a better understanding of the cybersecurity of the products they use daily. This labeling program seeks to enhance transparency and competition in the Internet of Things (“IoT”) device space, to “help differentiate trustworthy products in the marketplace,” and to incentivize manufacturers to meet higher cybersecurity standards.Continue Reading Cybersecurity Labeling is (Almost) Here! Biden Administration Announces the U.S. Cyber Trust Mark Program

On June 9, 2023, OMB released additional guidance on the implementation of OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practice, which requires that federal agencies only use third-party software that is provided by software producers that attest compliance with the secure software development guidance issued by the National Institute of Standards and Technology (NIST). Agencies must obtain a self-attestation from the software producer before using any software that “affects” government information or will be used on government information systems. The requirements are discussed in more detail here.Continue Reading White House Provides New Guidance & Extends Deadline for Secure Software Attestations

The National Institute of Standards and Technology (NIST) has released an initial public draft of NIST SP 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Compliance with the security controls in NIST SP 800-171 is required for Department of Defense contractors and is expected to be incorporated into a new Federal Acquisition Regulation (FAR) clause and required for all federal contractors that process, store, or transmit Controlled Unclassified Information (CUI). Continue Reading NIST Releases Initial Public Draft of NIST SP 800-171, Revision 3 for Protection of Sensitive Government Information

The FedRAMP Program Management Office is seeking comments on its draft FedRAMP Authorization Boundary Guidance, Version 3.0, released on September 14, 2022. The public comment period currently is open and closes on October 17, 2022.Continue Reading Third Time’s The Charm – FedRAMP Releases Draft Authorization Boundary Guidance Version 3 for Public Comment

Per Executive Order 14028, Improving the Nation’s Cybersecurity, the Office of Management and Budget (OMB) issued a memorandum on September 14, 2022 requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the National Institute of Standards and Technology (NIST).Continue Reading Federal Government Outlines New Security and Attestation Requirements for Software

On July 19, 2022, the National Institute of Standards and Technology (NIST) released a Pre-Draft Call for Comments, seeking feedback on improving its Controlled Unclassified Information (CUI) series of publications. The comment period currently is open and scheduled to close on September 16, 2022Continue Reading NIST Wants Your Input – Updating NIST’s Controlled Unclassified Information (CUI) Guidelines

The National Institute of Standards and Technology (“NIST”) is seeking comments on its draft NIST SP 800-160, Volume 2, Revision 1, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach,” and draft NIST SP 800-53A, Revision 5, “Assessing Security and Privacy Controls in Information Systems and Organizations.” The public comment periods currently are open and conclude on September 20, 2021 and October 1, 2021, respectively.
Continue Reading Double Time – NIST Seeks Comments on Major Revision to Practices for Developing Cyber-Resilient Systems (SP 800-160) and Assessing Security and Privacy Controls in Information Systems and Organizations (SP 800-53A)

The FedRAMP Program Management Office is seeking comments on its draft FedRAMP Authorization Boundary Guidance, Version 2.0, released on July 13, 2021. The public comment period currently is open and closes on September 13, 2021.
Continue Reading Watch Your Boundaries – FedRAMP Releases Draft Authorization Boundary Guidance for Public Comment