FedScoop reports that the U.S. Office of Management and Budget has issued a new memo extending federal agencies' time to collect attestations for critical and non-critical software until three and six months after it approves the attestation form, respectively.
Aside from giving federal agencies more time to gather attestations, the OMB has also emphasized that attestations are not needed for open-source software, which a senior official said would benefit smaller federal agencies. Moreover, federal agency chief information officers have been tasked to classify whether their agencies should consider contractor-developed software as their own, while software manufacturers that could not attest to practices in the form would be required to submit a Plan of Action and Milestones document to agencies.
"If the agency finds the documentation satisfactory, it may continue using the software, but must concurrently seek an extension of the deadline for attestation from OMB. Extension requests submitted to OMB must include a copy of the software producer's POA&M," said the memo.
Supply chain has been a hot topic for a few years now, but so many things we need to do for a secure supply chain aren't new at all. We'll cover SBOMs, vuln management, and putting together a secure pipeline.
SecurityWeek reports that more than 80% of Cybersecurity and Infrastructure Security Agency employees would be furloughed should a failure to reach a funding bill agreement result in a government shutdown.
CNN reports that a potential compromise of the Department of Homeland Security's sensitive physical security details is being looked into by the department's senior officials following a ransomware attack against contractor and major building automation systems manufacturer Johnson Controls International.