Industry Memo for Supply Chain Risk Management (SCRM) (M-22-18 updated by M-23-16)

MESSAGE TO INDUSTRY Background On September 14, 2022, Office of Management and Budget (OMB) issued memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. The memo requires Federal agencies to comply with the National Institute of Standards and Technology (NIST) Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information. This guidance was updated on June 9, 2023, by OMB M-23-16 which extended the due dates for attestation collection and announced metrics collection for waivers and extensions. Authority Federal Information Security Modernization Act (FISMA) and other provisions of Federal law authorize the Director of OMB to promulgate information security standards for information security systems, including to ensure compliance with standards issued by NIST. Consistent with these authorities and the directives of Executive Order (EO) 14028, the M-22-18

memorandum requires each Federal agency to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information. Implementation To comply with Executive Order 14028, and OMB Memorandum M-22-18 (as updated by M-23-16), EPA will update its processes to approve software including requiring vendor attestations. In line with OMB guidance in M-23-16, EPA anticipates collecting attestations for “critical software” 3 months after OMB Paperwork Reduction Act (PRA) approval of the common form; and collection of attestation letters for all other software 6 months after OMB PRA approval of the common form. EPA will begin collecting attestation letters as part of pre-award and post-award contract deliverables once final OMB guidance is received regarding use of the common form for all impacted software. To learn more, see Executive Order 14028, M-22-18, and M-23-16. Communications: This communication is being posted by EPA Office of Acquisition Solutions on behalf of EPA Chief Information Officer. Questions can be submitted at SCRM@epa.gov.