Analysis
On January 16th 2025, a new Presidential Executive Order (EO) was released that details the expectations, mandates, and trajectory of cybersecurity within Federal Agencies. Details of the Executive Order can be found here on the CISA website.
Analysis
This most notably affects agencies that are part of the FCEB Federal Civilian Executive Branch Agencies List | CISA. One of the key elements of this new EO is the requirement for CISA to provide stronger oversight and regulation of government used supply chain vendors through the NIST SSDF (Secure Software Development Framework) and the CISA RSAA (Repository for Software Attestations and Artifacts repository).
- The SSDF is driven by the following guidance: SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities | CSRC
- The SSDF is applicable to supply chain vendors that are providing prebuilt software packages to federal government agencies as a primary form of service. Examples of these vendors include highly popularized software supply chain services that provide pre-built containers, host configurations, and Infrastructure as Code (IaC), as a primary service offering.
- At this time, the current implementation of the SSDF and CISA allow for agencies to self-evaluate and self-attest to their compliance with NIST 800-218 similarily to the pre-CMMC v2 NIST 800-171 commercial vendor RMF evaluation process. However, per the EO, CISA was directed to harden the SSDF process and require supply chain vendor servicing federal agencies to provide an attestation to CISA prior to their supply chain services being allowed to be used.
- The RSAA Repository for Software Attestations and Artifacts (RSAA) User Guide | CISA is the official repository where supply chain vendors will be expected to submit Attestations for evaluation and acceptance by CISA. This repository is envisioned to operate like FedRAMP marketplace and act as a platform where Federal Agencies can shop for and query the compliance status of trusted supply chain vendors.
- As a 3PAO, we recommend that supply chain vendors evaluate their services through the SSDF and obtain an attestation through a formal A2LA/federally approved auditor. These activities future proof the attestation against the coming enhanced requirements and expectations that are coming to the SSDF and soon to be mandated RSAA attestation process.
- The SSDF is applicable to supply chain vendors that are providing prebuilt software packages to federal government agencies as a primary form of service. Examples of these vendors include highly popularized software supply chain services that provide pre-built containers, host configurations, and Infrastructure as Code (IaC), as a primary service offering.
Vendor Adoption
Supply chain vendors that adopt the SSDF and attest early with a thorough and defensible attestation will be positioned at the forefront of the market for FCEB federal agencies. This will protect them from being dropped by FCEB agencies that will be mandated to use attested supply chain vendors. The mandates of the EO are being pushed to the agencies with highly aggressive timelines. Agencies will find themselves scrambling to quickly evaluate all of their supply chains and determine if they have an attestation record within the RSAA.
Agencies that are late to the RSAA and are not early adopters will be held to much more strenuous requirements as the SSDF is being reversioned to meet the mandate’s enhanced expectations. Formal attestations that are well written and comprehensive will be those most likely to survive and be used as success examples in the RSAA registry.
Fortreum is an independent firm specializing in audit, advisory, and technical testing services, delivering cybersecurity expertise in highly regulated industries. Our mission is to simplify cloud and cybersecurity challenges for our clients. With nearly 25 years of combined experience in both the public and private sectors, Fortreum is dedicated to addressing our customers’ complex cloud and cybersecurity needs.
For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, XRAMP, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/
