CISA
Critical infrastructure
News
SBOM
Secure-by-Design

CISA publishes repository for software attestation and artifacts to reduce federal government cyber risk

March 22, 2024
CISA publishes repository for software attestation and artifacts to reduce federal government cyber risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced this week the availability of the Repository for Software Attestation and Artifacts that software producers who partner with the federal government can use to upload software attestation forms and relevant artifacts. Software integrity is key to protecting federal systems from malicious cyber actors seeking to disrupt the nation’s critical functions. The new repository will help federal agencies employ software from producers that attest to using sound secure development practices.  

“Software underpins nearly every service our government delivers on behalf of the American people. This is why CISA and our partners are working to transform federal cybersecurity practices by advancing strong software development security practices for the software upon which Americans depend,” Eric Goldstein, executive assistant director for cybersecurity, said in a media statement. “The repository for software attestation and artifacts will enable a standardized process for agencies and software producers that provides transparency on the security of software development. We look forward to further refining the process to continue elevating software security across the federal enterprise.”  

Recently, CISA and the Office of Management and Budget (OMB) announced the secure software development attestation form, which enables software producers serving the federal government to attest to the implementation of specific security practices.  

The self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before software subject to the requirements of M-22-18 and M-23-16 may be used by federal agencies. This common self-attestation form fulfills the minimum requirements set forth by OMB in M-22-18, as amended by M-23-16, and is used by software producers to attest that the software they produce is developed in conformity with specified secure software development practices.

Software requires self-attestation if the software was developed after Sept. 14, 2022; the software was developed prior to Sept. 14, 2022, but was modified by major version changes after that date; or the producer delivers continuous changes to the software code (as is the case for software-as-a-service products or other products using continuous delivery/continuous deployment). 

Further, certain software products and components are not in scope for M-22-18, as amended by M-23-16, and do not require a self-attestation. These include software developed by federal agencies; open-source software that is freely and directly obtained by a federal agency; third-party open-source and proprietary components that are incorporated into the software end product used by the agency; or software that is freely obtained and publicly available. 

The software attestation form must be signed by the Chief Executive Officer (CEO) of the software producer or their designee, who must be an employee of the software producer and have the authority to bind the corporation. By signing, that individual attests that the software in question is developed in conformity with the secure software development practices delineated within this form. The software may be used by a federal agency, consistent with the requirements of M-22-18, as amended by M-23-16, once the agency has received an appropriately signed copy of the attestation form.

The software producer may choose to demonstrate conformance with the minimum requirements by submitting a third-party assessment documenting that conformance. A third-party assessment must be performed by a Third Party Assessor Organization (3PAO) that has either been FedRAMP certified or approved in writing by an appropriate agency official. The 3PAO must use relevant NIST Guidance that includes all elements outlined in this form as part of the assessment baseline.

To rely upon a third-party assessment, the software producer must check the appropriate box in Section III and attach the assessment to the form. The producer need not sign the form in this instance. The agency shall take appropriate steps to ensure that the assessment is not posted publicly, either by the vendor or by the agency itself.

Earlier this month, the U.S. administration approved a secure software development attestation form, taking a major step in the implementation of its requirement that producers of software used by the federal government attest to the adoption of secure development practices. The self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before software subject to the requirements of M-22-18 and M-23-16 may be used by federal agencies.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation