How to Provide SSDF Supply Chain Security Attestation

If you are not already, now is the time to start thinking about the U.S. government’s supply chain security requirements for vendors. Since the Solarwinds supply chain attack in 2020, the U.S. government has put more pressure on technology providers to take responsibility for the security of their products. 

As CISA Director Jen Easterly put it recently: “Consumers and businesses alike expect that cars and other products they purchase from reputable providers will not carry risk of harm. The same should be true of technology products. This expectation requires a fundamental shift of responsibility. Technology providers and software developers must take ownership of their customers’ security outcomes rather than treating each product as if it carries an implicit caveat emptor.”

To that end, the U.S. Office of Management and Budget (OMB) will start requiring attestation from vendors that their products have been developed securely. Last month, the OMB released new implementation details about the supply chain security attestations. The goal is to ensure that technology providers are following Secure Software Development Framework (SSDF) guidelines from the U.S. National Institute of Standards and Technology (NIST). 

Eclypsium has already prepared attestation for our own software. Are you ready? 

Some key points you should consider regarding supply chain attestation …

1. Vendors Must Take Responsibility for Product Security

The supply chain security attestation requires that technology vendors selling to the U.S. federal government are accountable for the security of their whole product—even open source and third-party components that they did not build themselves. The burden falls on the “producer of the end product,” meaning the vendor or manufacturer that packages the components together, not the upstream suppliers or the downstream resellers. 

That means you need to check for vulnerabilities and updates in order to verify the integrity of those components and sub-components that go into the solution you are selling. And it’s not just at the time of the sale, but throughout the product’s lifecycle. 

The consequence for signing the attestation form and not doing these things is not just losing government contracts, but potentially exposing your executives to criminal liability: “Providing this information is mandatory. Failure to provide any of the information requested may result in the agency no longer utilizing the software at issue. Willfully providing false or misleading information may constitute a violation of 18 U.S.C. § 1001, a criminal statute.” 

2. Think About Infrastructure, Not Just Application Software

While software supply chain security is getting a lot of well-deserved attention, the U.S. government guidelines define software broadly—basically anything in a product that uses programmed logic. It could be an off-the-shelf software application, a laptop, or a printer. 

The OMB memo reinforces this point, stating, “For the purposes of M-22-18 and this memorandum, ‘software’ includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”

This means that firmware running below the operating system (BIOS/UEFI, BMCs, etc) as well as firmware powering network and storage appliances are also required to have SSDF attestation. 

The supply chain security attestation requirements cover IT infrastructure for good reason: Attackers are increasingly targeting network equipment and server management software as a way to evade endpoint security controls. That’s why the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently issued a binding operational directive for federal agencies to remove or secure Internet access to network devices. It’s important to keep track of the vulnerable software and firmware components in these devices. 

How Eclypsium Can Help with SSDF Attestation

Eclypsium offers supply chain security for enterprise infrastructure. Only Eclypsium provides verification and assurance for the software, firmware, and hardware components that go into IT infrastructure products such as laptops, servers, and network appliances. If your organization manufacturers these types of products, or uses them in a service that you sell to the federal government, Eclypsium can help with the SSDF attestation requirements.

The Eclypsium supply chain security platform can help technology suppliers attest to the requirements put forth in subsection (4)(e) of EO 14028, Improving the Nation’s Cybersecurity and associated SSDF practices and tasks.

Attestation RequirementEO 14028 SectionSSDFEclypsium Capabilities
Trust relationship auditing(B)PO.5.1You can track the relationship between embedded software, firmware, and hardware components in a product.
Maintain trusted source code supply chains4e(iii)PO.3.1, PO.3.2, PO.5.1, PO.5.2, PS.1.1, PS.2.1, PS.3.1, PW.4.1, PW.4.4For each component, you can easily see the vendor along with other details of where the component came from.
Check software for vulnerabilities and remediate4e(iv)PO.4.1, PO.4.2, PS.1.1, PW.2.1, PW.4.4, PW.5.1, PW.6.1, PW.6.2, PW.7.1, PW.7.2, PW.8.2, PW.9.1, PW.9.2, RV.1.1, RV.1.2, RV.2.1, RV.2.2, RV.3.3Only Eclypsium analyzes the actual binaries to detect vulnerabilities in firmware and other components, and then offers assistance in rolling out the patches needed for remediation.
Maintain provenance data for internal and 3rd party components4e(vi)PO.1.3, PO.3.2, PO.5.1, PO.5.2, PS.3.1, PS.3.2, PW.4.1, PW.4.4, RV.1.1, RV.1.2You can identify the internal components within your devices and verify the integrity of assets to see if you are affected by a supply chain issue or attack.
Provide a software bill of materials (SBOM) for each product4e(vii)PS.3.2You can download SBOMs in the SPDX format for products and components, simplifying the task of compiling these documents and providing attestation.
Attest to the integrity and provenance of open-source software components4e(x)PS.2.1, PS.3.1, PS.3.2, PW.4.1, PW.4.4Eclypsium has the largest database of verified components so that you can be sure that your assets have not been tampered with or otherwise compromised.

If you are unsure what the new CISA attestation requirements mean or how to go about meeting them, Eclypsium can help. Please schedule a demo where we can understand your needs and provide our expertise. 

More resources: