US launches secure software development attestation form to enhance federal cybersecurity

The U.S. administration has approved a secure software development attestation form, taking a major step in the implementation of its requirement that producers of software used by the federal government attest to the adoption of secure development practices. The self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before software subject to the requirements of M-22-18 and M-23-16 may be used by federal agencies. 

Released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB), the common form is primarily used by software producers to attest that the software they produce is developed in conformity with specified secure software development practices. It will help ensure that the software producers who partner with the federal government leverage minimum secure development techniques and toolsets. 

Additionally, the attestation form aims to provide the federal government assurances that software used by agencies is securely developed and provides submission instructions which include online and email options. 

“The Biden-Harris Administration continues to build on that foundation with the release of the secure software development attestation form — a critical step towards ensuring software producers who work with Government provide securely developed products,” Chris DeRusha, federal CISO and deputy National Cyber Director and Eric Goldstein, executive assistant director for cybersecurity at CISA, wrote in a Monday blog post. “This action also furthers the President’s National Cybersecurity Strategy, which made clear that the ‘most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem.’” 

They added that by ensuring “our Government uses software products from software producers that leverage best practices for secure development, we not only strengthen the security of the Federal Government but drive improvements for customers across the globe. We envision a software ecosystem where our partners in state and local government, as well as in the private sector, also seek these assurances and leverage software that is built to be secure by design.”

Following President Joe Biden’s Executive Order 14028 in May 2021 which emphasized the importance of securing software used by the federal government to perform its critical functions. To further this objective, E.O.14028 required NIST to issue guidance ‘identifying practices that enhance the security of the software supply chain.’

The NIST Secure Software Development Framework (SSDF) (SP 800-218), and the NIST Software Supply Chain Security Guidance include a set of practices that create the foundation for developing secure software. E.O.14028 further requires that the director of OMB take appropriate steps to ensure that federal agencies comply with the NIST guidance.

Software requires self-attestation if any of the conditions is met, including the software was developed after September 14, 2022; the software was developed before September 14, 2022, but was modified by major version changes (e.g., using a semantic versioning schema of Major.Minor.Patch, the software version number goes from 2.5 to 3.0) after September 14, 2022; or the producer delivers continuous changes to the software code (as is the case for software-as-a-service products or other products using continuous delivery/continuous deployment). 

The form must be signed by the Chief Executive Officer (CEO) of the software producer or their designee, who must be an employee of the software producer and have the authority to bind the corporation. By signing, that individual attests that the software in question is developed in conformity with the secure software development practices delineated within this form. 

The software may be used by a federal agency, consistent with the requirements of M-22-18, as amended by M-23-16, once the agency has received an appropriately signed copy of the attestation form. The software producer may choose to demonstrate conformance with the minimum requirements by submitting a third-party assessment documenting that conformance. 

A third-party assessment must be performed by a Third Party Assessor Organization (3PAO) that has either been FedRAMP certified or approved in writing by an appropriate agency official. The 3PAO must use relevant NIST Guidance that includes all elements outlined in this form as part of the assessment baseline.

To rely upon a third-party assessment, the software producer must check the appropriate box and attach the assessment to the form. The producer need not sign the form in this instance. The agency shall take appropriate steps to ensure that the assessment is not posted publicly, either by the vendor or by the agency itself.

In the event that an agency cannot obtain a completed self-attestation from the software producer, an agency may still decide to use the producer’s software if the producer identifies the practices to which they cannot attest, documents practices they have in place to mitigate associated risks, and submits a plan of actions and milestones (POA&M) to the agency. 

When an attestation is not provided, per OMB guidance, agencies are responsible for requesting from OMB an extension or waiver for the continued use. This common self-attestation form fulfills the minimum requirements set forth by OMB in M-22-18, as amended by M-23-16. The attestation form, background, and instructions are subject to change and may be modified.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.