Building on the cybersecurity executive order signed by President Joe Biden in May 2021, a memorandum from the OMB requires federal agencies to comply with NIST guidance — for secure software development and supply chain security — when using third-party software. In order to ensure compliance, agencies will have to at least obtain a self-attestation form from software developers whose products they are using or plan on using.

The forms must be obtained within 270 days for critical software and within one year for other software.