M-23-16, update to memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
Jurisdiction
United States
Region
North America
Requirement
Required
Organization
OMB
Provision
Section 4.b of the Self-Attestation Common Form
Applies to
Software producers that serve the Federal government
Date
June 9, 2023
Description
Requires software producers attest that they have a policy or process to address discovered security vulnerabilities prior to product release. This requirement is part of the U.S. federal government's secure software development initiative under OMB Memorandum M-22-18, and was further clarified in OMB Memorandum M-23-16 (June 2023), which extended agency deadlines for collecting attestations and introduced the use of Plans of Action and Milestones (POA&Ms) when full compliance is not immediately feasible.