Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Regulation, Standards and Compliance
Supply Chain Security

CISA seeks inputs on secure software development attestation common form for developers

April 28, 2023
CISA seeks inputs on secure software development attestation common form for developers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has called for public comment on a self-attestation form to be used by software producers. After obtaining and considering public comment, the security agency will prepare the submission requesting clearance of this collection as a Common Form to permit other agencies beyond DHS to use this form in order to streamline the information collection process in coordination with OMB. Comments are encouraged and will be accepted until June 26, 2023.

The CISA move falls in line with U.S. President Joe Biden’s May 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity and a September 2022 OMB memorandum that works on enhancing the security of the software supply chain while complying with NIST guidance. In accordance with the Office of Management and Budget (OMB) document, CISA has agreed to serve as a steward for this collection.

The 60-day notice published Thursday in the Federal Register outlines assumptions made by the DHS and welcomes comments on all assumptions. “CISA’s common self-attestation form does not preclude agencies from adding agency-specific requirements to the minimum requirements in CISA’s common self-attestation form. However, any agency-specific attestation requirements, modification, and/or supplementation of these common forms will require clearance by OMB/OIRA under the PRA process and are not covered by this notice,” it added.

The notice said that the DHS is assuming vendors would have 2,689 initial form submissions and 1,345 resubmissions of the form, due to major software changes, per year. “This estimate applies across DHS, including all component agencies. DHS based this estimate on initial contract award data for Fiscal Years 2019 through 2022 from DHS’s Federal Procurement Data System (FPDS),” it added. 

DHS utilized data for contract awards that could, in the future, include a response to this collection based on the FPDS Product and Service Code (PSC) of ‘D’ Automatic Data Processing and Telecommunication and ‘R’ Professional, Administrative, and Management Support, the notice identified.

It also took into account the time burden for the attestation form including time to review the form and understand requirements, gather information, review, and approve the release of information and submission. 

The notice added that the “DHS assumes a three-hour burden per initial submission for a software quality assurance analyst or tester and an additional 20 minutes per initial submission for a Chief Information Security Officer (CISO). Vendors would have to resubmit the attestation form for major software changes, and DHS assumes half the number of initial submissions will result in a resubmission. DHS assumes that resubmissions would take 1 hour and 30 minutes for a software quality assurance analyst or tester and retains 20 minutes for a CISO.” 

The Federal Register notice added that the DHS acknowledges the information collection request allows for a vendor to use a prior submitted form for multiple agencies. DHS welcomes public comment on how frequently this might happen and how to reduce respondent burdens due to this collection, where feasible.

When it came to estimating opportunity costs, DHS uses an hourly compensation rate of $67.90 for a software quality assurance analyst or tester and $177.66 for a CISO, the notice said. “DHS estimates software quality assurance analyst or tester annual hours would be 10,084 for initial and resubmissions by multiplying $67.90 compensation rate to estimate the opportunity cost of $684,733. DHS estimates CISO annual hourly burden of 1,345 hours and multiplying $177.66 compensation rate to a CISO estimate the opportunity cost of $238,890. DHS combines these two opportunity costs to calculate a total opportunity cost for the collection of $923,623,” it added.

The Federal Register notice also said that the DHS is assuming if a vendor needs to provide any additional attestation artifacts or documentation, including a Software Bill of Materials (SBOMs), that this information would be readily available and would not have to be generated specifically for doing business with the government. “DHS is interested in comments on the burden and costs if SBOMs or additional artifacts materials need to be generated or reformatted to fulfill an agency/component request,” it added.

The notice also identified that for the purposes of this initial collection, DHS is proposing the common form be a fillable/fileable PDF form. “Vendors could access the form on the DHS/CISA website and submit via the DHS website OR email the completed form to [email protected]. Other agencies will be required to seek approval to use the common form by submitting their agency-specific burden and cost analyses to OMB,” it added.

Input is requested on any aspect of the proposed common form including the instructions. DHS/CISA is interested in whether the proposed collection of information to implement requirements of both the Executive Order and the OMB guidance will have practical utility. It is also concerned with whether the DHS has accurately estimated the burden of the proposed collection of information, including the validity of the methodology and assumptions used. It also seeks other ways for DHS to enhance the quality, utility, and clarity of the information to be collected. 

Additionally, the notice is also concerned with how the DHS could minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submissions of responses.

The notice said that the requirement for agencies to ‘obtain a self-attestation from the software producer before using the software’ also applies to new software developed after the September 2022 date of memo issuance, as well as existing software that is modified by major version changes after the date of memo issuance. The memorandum “brings into existence a new and sizable conformity assessment community. The memorandum introduces conformity assessment expectations and activities for the supply chain starting with the software producer and ending with the federal agency putting the software into use,” it added. 

Earlier this month, CISA published its SBOM sharing lifecycle report that enumerates and describes the different parties and phases of the SBOM sharing lifecycle. It also assists readers in choosing suitable SBOM sharing solutions based on the amount of time, resources, subject-matter expertise, effort, and access to tooling that is available to the reader to implement a phase of the SBOM sharing lifecycle.

Before that, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, the U.K., Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ) published joint guidance urging software manufacturers to take urgent steps necessary to ship products that are secure-by-design and secure-by-default. The move shifts the balance of cybersecurity risk by using principles and approaches for security-by-design and secure-by-default.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure