Federal Agencies to Institute New Vendor Verification Process
On April 27, 2023, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) released a draft guide to be used by federal agencies in vetting vendors. According to CISA1, Chris DeRusha, federal chief information security officer for OMB, advised before the White House’s Federal CIO and Federal CISO that “this common form will ensure federal agencies are procuring and implementing third-party information technology software that complies with the National Institute of Standards and Technology standard Secure Software Development Framework.”
The common form, titled OMB M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices1, is a direct reaction, per FCW, to Executive Order on Improving the Nation’s Cybersecurity (EO 14028), released on May 12, 2021, which required federal agencies to “recommend . . . contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to [the Executive Order].”
The self-attestation process will only apply to vendors that supply services to federal agencies. As such, the vendors used by your organization may not be affected. Your organization can, however, still utilize the information requested in the form to inquire about your software vendors' software development practices.
Here’s a checklist for your organization to use in vetting software vendors.
Request a copy of the potential vendor’s security policies and incident response plans to ensure that they are in accordance with current best practices;
Consider these data points recommended by 16 members of Forbes’ Technology Council when vetting a potential vendor:
The security posture, certifications, and attestations of the vendor;
Whether the vendor shows a commitment to accessibility by ensuring that their software is accessible to all users;
The vendor’s onboarding speed, which includes “the amount of time it would take for them to understand your business operations and adjust or integrate their technology to meet your specific business needs”;
If you and the vendor can establish integrations and prove compatibility among your systems;
How the vendor is managed to ensure their management comports with your organization’s standards;
That your velocity matches that of your vendor;
How your organization’s specific business needs and outcomes will be addressed by the vendor;
The adaptability of the vendor;
Reviews from the vendor’s previous clients and service level agreements maintained by the vendor;
The vendor’s experience and expertise;
The security of the vendor’s supply chain;
If the vendor shares the same values and interests as your organization;
How easy the vendor’s technology is to use;
The vendor’s track record for delivering quality products or services;
The vendor’s willingness to submit a confidential software bill of materials; and
How the vendor’s team will work with your organization.
Members of the Forbes Technology Council recommend asking potential vendors the following questions:
‘How do you align with our unique security needs.’
‘Do you treat customer data as the highest-value asset.’
‘How many of your employees have access to client data.’
‘When was your last third-party pentest done.’
‘Do you allow your customers to control their sensitive data in the cloud.’
‘Tell me about your security team.’
‘Do you understand your full attack surface.’
‘How is your security system designed.’
‘How do you train your team to handle incident response.’
‘Will you ever access our data.’
‘Can you tailor your service to my business.’
‘Tell me about the SaaS applications you use.’
‘Do you have SOC2 Type 2 certification.’
‘Tell me about the details of your SOC 2 report.’
Working With an SOC2 Report
JD Supra provides insights about how to read a SOC report and which of its components your organization should consider during your review:
Request a copy of the vendor’s SOC report so that you can review the five critical aspects of the vendor’s information security practices: security, availability, processing integrity, confidentiality, and privacy, as well as the opinion of the SOC report’s independent auditor relating to each of these practices.
“Consult colleagues and question service vendors about aspects of their information security operations that are unclear even after a close reading of the SOC report.”
Inquire into any “data breaches, service level assurances, liability limitations, and incident response time” of the potential vendor.
Request a copy of a potential vendor’s cyber insurance policy, if maintained, “to ensure that whether that policy will cover reasonably anticipated losses in the event that confidential client information is lost or stolen.” If the vendor does not maintain a cyber insurance policy, consider requesting them to establish one in order to become your vendor.
OMB M-22-18 underwent a round of public comments, after which the two agencies began drafting a final draft. According to a memorandum (M-22-182) released by the OMB, federal agencies will have 120 days following the publication of a final draft to begin collecting completed forms from vendors.
Statements provided by FCW highlight concerns raised with this tight timeline. Joanne Woytek, program manager of NASA's Solution for Enterprise-Wide Procurement (SEWP), notes that requiring software vendors to participate in this self-attestation process is "not as simple as it sounds." In fact, she posed that without a “magic wand that makes this happen,” she anticipates OMB will be updating this deadline to a later date.
[1]http://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf