Special Notice: Environmental Protection Agency (EPA) - Supply Chain Risk Management (SCRM)
The Environmental Protection Agency (EPA) has issued a special notice regarding the implementation of supply chain risk management (SCRM) measures. This notice is in response to the Office of Management and Budget (OMB) memorandum M-22-18, which aims to enhance the security of the software supply chain through secure software development practices.
The EPA is required to comply with the National Institute of Standards and Technology (NIST) guidance when using third-party software on its information systems or when it affects the agency's information. This guidance was updated by OMB memorandum M-23-16, which extended the due dates for attestation collection and announced metrics collection for waivers and extensions.
To comply with Executive Order 14028 and the OMB memorandums, the EPA will update its processes for approving software, including the requirement of vendor attestations. The agency anticipates collecting attestations for "critical software" three months after OMB Paperwork Reduction Act (PRA) approval of the common form. For all other software, attestation letters will be collected six months after OMB PRA approval of the common form.
The EPA will begin collecting attestation letters as part of pre-award and post-award contract deliverables once final OMB guidance is received regarding the use of the common form for all impacted software.
For more information, please refer to Executive Order 14028, OMB memorandum M-22-18, and M-23-16. Any questions can be submitted to SCRM@epa.gov.
Please ensure the accuracy and completeness of the summary to avoid any negative consequences.