Photo of Michael G. Gruden, CIPP/GPhoto of Jacob Harrison

On June 9, 2023, the Office of Management and Budget (OMB) released M-23-16, Update to Memorandum M-22-18, which alters key deadlines and clarifies how agencies and software developers can comply with M-22-18.  The original memorandum, published in September 2022, required all federal agencies and their software developers to comply with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), NIST SP 800-218, and the NIST Software Supply Chain Security Guidance (collectively, NIST Guidance) whenever third-party software is used on government information systems or otherwise affects government information.

Attestation Due Date Extended

The update extends the deadlines by which agencies must collect attestation letters from software developers certifying their compliance with the NIST Guidance.  The previous deadlines were June 12, 2023 for critical software and September 14, 2023 for all other software.  Now, the attestation letter due date hinges on the publication of a common attestation form, which could be finalized with little warning.  Agencies must collect attestation forms for critical software (as defined in OMB Memorandum M-21-30) three months after the common form is approved by OMB and must collect attestation forms for all other software within six months.

Clarifications to the Scope of M-22-18

The update clarifies that attestation forms are not required for proprietary software that is free and publicly available.  OMB explained that such software is given to the public for free and there is no opportunity for the government to negotiate with the developer, making it infeasible for agencies to obtain attestations.  However, free demonstrations or pilots of proprietary software products that are otherwise available for purchase will still require attestations.  OMB also noted that open source software obtained by the government is beyond the scope of the NIST Guidance.

OMB also narrowed the scope of attestations required by software components.  The M-23-16 update explains that agencies will not have to collect attestations from third-party software components that are incorporated into software end products.

Additionally, the update gives agency chief information officers (CIOs) the authority to designate software developed by federal contractors as “agency-developed.”  To do so, the CIO must determine if the agency’s specifications and supervision of the contractor were sufficient to ensure that the contractor used secure software development practices throughout the entire software development lifecycle.  This designation is important because “agency-developed” software does not require an attestation.

POAMs Procedure and Guidance

Finally, the update provides guidance on the use of Plans of Action and Milestones (POAM) when a software developer cannot attest to compliance with the NIST Guidance.  The update requires the software developer to specifically identify the practices to which they cannot attest, document the practices they have in place to mitigate risks, and submit a POAM to the agency.  The agency must then find the POAM satisfactory and concurrently seek an extension of the deadline for attestation from OMB.  If the agency does not find the POAM satisfactory or fails to seek an extension, then it must discontinue use of the software.

Next Steps for Government Software Developers

Despite the extended attestation deadlines, companies providing software or products containing software to the federal government should continue to work diligently towards compliance with the NIST Guidance.  The final common attestation form could be published with little warning, triggering a three- or six-month deadline for compliance, depending on whether critical software is implicated. 

Tags: Cybersecurity, government contracts, OMB, Software
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Related Posts
Securing the Skies: Landmark Proposed Rule Contains New Security Requirements for Expanded Commercial Drone Deployments
September 24, 2025
Off the (Supply) Chain: Director of National Intelligence Issues First Exclusion and Removal Order Under the Federal Acquisition Supply Chain Security Act
September 22, 2025
New Year, Updated List: The U.S. Department of Defense Updates Its List of Chinese Military Companies with Ancillary Supply Chain and USG Contracting Impacts
January 14, 2025