In a new memo from the Office of Management and Budget on Wednesday, the Federal Acquisition Regulatory Council will soon propose a rule requiring federal agencies to use a uniform, standard self-attestation form when seeking assurances from software vendors that their products were developed using guidance from the National Institute of Standards and Technology.
In addition to approving the use of self-attestation, the OMB memo allows agencies to accept what is essentially a promise from vendors that they will work toward being able to comply with the NIST guidance on a specific timeline.
Why do we care?
Self-attestation is the controversial portion of the guidance. Of course, the rules would start here. That’s how one gets something rolled out quickly. Project out – a vendor self-attests and is later proven not to have complied, and that’s evidence in the inevitable legal battle. Let’s not be too dismissive of that… despite my desire for more.
More importantly, this is the US government using its buying power. Small, critical step.

