New guidance for US government suppliers includes requirements for software testing.
In the Office of Management and Budget (OMB) Circular A-130, published July 28, 2016, requirements for Supply Chain Risk Management (SCRM) were specified for those selling to any US Government organizations, including sub-tier suppliers. This means that suppliers of IoT/ICT components and services, either directly, or indirectly in support of their customers, selling to the US government, could be expected to provide NIST SP 800-161 conformant SCRM plans to ensure the integrity, security, resilience, and quality of information systems and to protect against the insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software, as well as poor manufacturing and development practices throughout the system development life cycle.
OMB Circular A-130 “establishes general policy for the…acquisition, and management of Federal information, personnel, equipment, funds, IT resources and supporting infrastructure and services.” The requirements of A-130 “apply to the information resources management activities of all agencies of the Executive Branch of the Federal Government,” and creates six specific requirements directly related to improving agencies’ supply chain risk management (SCRM) capabilities.
As a matter of policy, A-130 requires agencies to:
1. Consider “supply chain security issues for all resource planning and management activities throughout the system development life cycle;”
2. “[A]nalyze risks (including supply chain risks) associated with potential contractors and the products and services they provide,” for all IT acquisitions; and
3. “[A]llocate risk responsibility between Government and contractor when acquiring IT.”
Appendix I to A-130 “establishes minimum requirements for Federal information security programs.” Appendix I requires agencies to:
4. “[D]evelop, implement, document, maintain, and oversee agency-wide information security and privacy programs;” and
5. “[I]mplement supply chain risk management principles to protect against the insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software, as well as poor manufacturing and development practices throughout the system development life cycle;”
Section 4 of Appendix I articulates specific requirements for “those areas deemed to be of fundamental importance to the achievement of effective agency information security programs and those areas deemed to require specific emphasis by OMB.” Under section 4, agencies are required to:
6. “[D]evelop supply chain risk management plans as described in NIST SP 800-161 (SCRM Practices) to ensure the integrity, security, resilience, and quality of information systems.