The Cybersecurity and Infrastructure Security Agency (CISA) is seeking public comment on the secure software development common self-attestation form to be completed by software producers that sell software to the federal government. Federal agencies are scheduled to begin collecting attestation forms for critical software by June 2023 and for all other software by September 2023.
Per Executive Order 14028, Improving the Nation’s Cybersecurity, and OMB memorandum, M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, federal agencies are required to only use third-party software that meets the secure software development principles as outlined in NIST SP 800-218, Secure Software Development Framework, and the NIST Software Supply Chain Security guidance. Discussed in more detail here. Agencies must obtain a self-attestation from the software producer before using any software that “affects” government information or will be used on government information systems.
The OMB memorandum directs CISA to create a common self-attestation form suitable for use by all federal agencies. An agency can require additional attestation requirements, modifications, or supplements to the common self-attestation form, but the agency will need OMB approval for any changes. Whether agencies choose to use the CISA self-attestation form or implement different processes remains to be seen. The General Services Administration released an Acquisition Letter, MV-23-01, in January 2023 that adopted a different definition of “software” than the OMB memorandum. However, the letter also committed to using CISA’s common self-attestation form once available.
The OMB memorandum defines “Software,” as “firmware, operating systems, applications, application services (e.g., cloud-based software), and products containing software.” The memorandum requires attestations for software that (1) was developed after September 14, 2022 or (2) was modified by a major version change after September 14, 2022. The CISA proposed self-attestation form includes a third category of software that will require attestation. A self-attestation also will need to be submitted for (3) “any software to which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).”
The form allows for a software producer with software that has been verified by a FedRAMP third party assessor organization (3PAO) or other agency-approved 3PAO to submit the assessment documentation in lieu of an attestation.
The self-attestation form lists four main categories of requirements from the Secure Software Development Framework to which software producers must attest:
- The software was developed and built in secure environments.
- The software producer made a good faith effort to maintain trusted source supply chains, including employing automated tools and establishing a process to address the security of third-party components and vulnerabilities.
- The software producer maintains provenance data for internal and third-party code incorporated into the software.
- The software producer employed automated tools that check for security vulnerabilities.
CISA is particularly interested in feedback on the following aspects of the proposed common self-attestation form:
- CISA requests more information on the potential burden on producers of collecting the requested information. CISA estimates the time burden for completing the attestation form for each software producer will amount to roughly 3.3 hours per self-attestation form. The form requires the Chief Executive Officer of the software producer or a designee to sign the form and attest to secure software development practices. The CISA form notes that providing false or misleading information on the form could result in a violation of 18 U.S.C. § 1001, which imposes criminal liability for false statements.
- CISA specifies that a software producer will need to resubmit the self-attestation form for any major software changes. CISA seeks comment on how frequently this may happen and how to reduce respondent burden due to collection.
- CISA also seeks comment on the burdens and costs of providing additional attestation artifacts or documentation such as a Software Bill of Materials (SBOMs). CISA assumes that a software producer would already have this additional information readily available.
Comments on the Secure Software Development Common Self-Attestation Form can be submitted here. The comment period closes on June 26, 2023, which is roughly when the OMB Memo directed agencies to begin collecting attestations for critical software.