CISA rolls out secure software attestation form
A repository for software attestation submissions will be available later in March.
DHS’s Cybersecurity and Infrastructure Security Agency released its long-awaited software development attestation form that requires federal contractors to detail minimum required security standards used in software that interacts with government systems.
The form, born out of a sweeping 2021 cybersecurity executive order and an OMB software supply chain memorandum, is meant to enforce secure by design principles frequently pushed by CISA that encourage software makers to blueprint their products with strong, built-in baseline security features.
The attestation is part of a broader effort the Biden administration has undertaken to bolster cybersecurity in the federal landscape, including a wide-ranging national cyber strategy released in 2023 that's currently being implemented. In the past year, hackers have launched cyberattacks at multiple federal agencies including the Commerce Department, State Department and even CISA itself.
The form mandates signing by a software contractor’s CEO when being filed to the U.S. government. It also requires self-attestation if the offering in question was developed or significantly modified after September 2022. An outside software assessor is also allowed to demonstrate the security features of the software offering, assuming it’s a qualified Third Party Assessor Organization certified by Federal Risk and Authorization Management Program, or FedRAMP.
Filers who use the attestation form must also certify their product development includes “consistent and reasonable steps to document, as well as minimize use or inclusion of software products that create undue risk within the environments” used for software development. The developer must also operate “a vulnerability disclosure program and accepts, reviews, and addresses disclosed software vulnerabilities in a timely fashion.”
A repository for the storage of attestation submissions is expected to launch later in March, CISA said.