The Cybersecurity and Infrastructure Security Agency (CISA) on April 27 released for public comment its proposed Secure Software Self-Attestation Common Form that will help to advance a key aspect of President Biden’s 2021 cybersecurity executive order on creating a more secure software supply chain.
Federal Chief Information Security Officer Chris DeRusha previewed the release of the form last week.
CISA is seeking public comment on the form through June 26, with comments to be submitted via the Regulations.gov website.
The self-attestation form for software makers is an integral part of an OMB directive issued in September 2022 that requires Federal agencies to take a range of actions to comply with National Institute of Standards and Technology (NIST) guidance on software security.
The OMB directive “requires each Federal agency to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.” It defines “software” to include “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”
“Federal agencies must only use software provided by software producers who can attest to complying with the government-specified secure software development practices, as described in the NIST Guidance,” OMB ordered. As part of that obligation, Federal agency chief information officers need to take several steps including getting self-attestations from software producers that they have implemented and will attest to conformity with the security software development practices.
“Advancing progress toward a technology environment where all software products are safe and secure by design is a top priority for CISA, the broader U.S. government, and the global cybersecurity community,” CISA said last week. The self-attestation form, the agency said, requires software producers serving the government to confirm that they have implanted specific security practices.
CISA added that the draft form was developed “in close consultation with OMB and based upon practices established in the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF).”
In a statement released on April 28, the Information Technology Industry Council called on OMB to work with industry and “provide clarity” on the proposed self-attestation form.
“To achieve its goal of successfully securing software and ensure regulatory harmonization, the Biden Administration should engage in transparent and effective partnership with the tech industry,” said Gordon Bitko, the trade group’s executive vice president of policy.
“ITI is encouraged by the Cybersecurity and Infrastructure Security Agency’s (CISA) decision to waive the attestation requirements for FedRAMP-certified services and to require due process through the Paperwork Reduction Act (PRA) for any deviating forms that agencies may develop,” he said.
“ITI calls on CISA and OMB to collaborate with industry to define key elements of the data collection process, including where responsibilities and accountabilities for inventory and collection lie, what risk factors will warrant the request of additional artifacts such as SBOMs, and next steps for deadlines outlined in OMB M-22-18,” Bitko said.
ITI noted its previous call to the Biden administration for additional guidance to the tech sector.
“Currently, software producers face significant barriers, including ambiguous terminology, confusing timelines, and the potential for regulatory fragmentation,” the group said.