CISA Releases Final Secure Software Development Attestation Common Form

The Cybersecurity and Infrastructure Security Agency (CISA) has now finalized the Secure Software Development Attestation common form, in compliance with OMB Memo M-22-18, Enhancing the Security of the Software Supply Chain Through Secure Software Development Practices, as amended by OMB Memo M-23-16. The requirements derive from Executive Order 14028, Improving the Nation’s Cybersecurity. Software producers that sell software used by federal government agencies will be required to attest to meeting minimum secure development requirements specified in the form as a condition for the government to be able to continue to use their software. The software development practices are drawn from the NIST Secure Software Development Framework (SSDF), SP 800-218.

Software subject to the attestation requirement includes firmware, operating systems, applications, and cloud-based software and other application services, as well as products containing software. The requirement applies to software either developed or modified by major version changes after September 14, 2022, and to software-as-a-service and other software that uses continuous delivery or continuous deployment. Software developed by federal agencies, open-source software freely and directly obtained by agencies, components incorporated into software end products, and software freely obtained and publicly available, are specified as out of scope and not subject to attestation requirements. As an alternative to self-attestation, software providers will be able to obtain a third-party assessment from a Third Party Assessor Organization (3PAO) that is FEDRAMP certified or approved in writing by an appropriate agency official. CISA indicates that its repository for online form submission is expected to be available by late March 2024 (later this month).

CISA’s statement accompanying the publication of the final common form does not indicate the deadline for agencies to collect attestation letters, or whether there is any change from the previously-indicated timeline. OMB Memo M-23-16 had stated (at 2) that “Agencies must collect attestations for critical software subject to the requirements of M-22-18 and this memorandum no later than three months after the M-22-18 attestation common form released by [CISA] is approved by OMB under the Paperwork Reduction Act (PRA). Six months after the common form’s PRA approval by OMB, agencies must collect attestations for all software subject to the requirements delineated in M-22-18, as amended by this memorandum.”

CISA made a few notable changes from the last published draft of the common form, including the following:

The common form now specifically states (at 3, 5) that “Third Party open source and proprietary components that are incorporated into the software end product used by the agency” are not in scope and do not require a self-attestation. Along the same lines, the form now clarifies (at 5) that software producers are attesting to adhering to the secure software development practices “for code developed by the producer.” Notably, software producers still need to attest to practices pertaining to third-party components (see practices 2 and 3).

The form can now be signed by “the Chief Executive Officer (CEO) of the software producer or their designee, who must be an employee of the software producer and have the authority to bind the corporation.” See 4, 7. This is a change from the last draft, which had stated that only the CEO or Chief Operating Officer (COO) of the software producer could sign the form.

CISA also added a note on the first page of the form instructions stating that “This information may be disclosed as generally permitted under Executive Order 14028, Improving the Nation’s Cybersecurity (E.O. 14028) and Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18), as amended. This form collects contact information from vendor employees who make the attestation. For DHS, information may be disclosed as necessary and authorized by the routine uses published in DHS/ALL-002 Department of Homeland Security (DHS) Mailing and Other List System, November 25, 2008, 73 FR 71659.”

On the other hand, the form instructions state that if software producers demonstrate conformance with minimum requirements by submitting third-party assessment documentation, “[t]he agency shall take appropriate steps to ensure that the assessment is not posted publicly, either by the vendor or by the agency itself.”

Finally, the last draft of the common form had noted that the form fulfills the minimum requirements of OMB Memo M-22-18, as amended by M-23-16, but that agencies could ask software producers to provide “additional attestation artifacts or documentation, such as a Software Bill of Materials (SBOMs) or documentation from a certified FedRAMP third party assessor organization (3PAO) . . . beyond what is required in the common form.” The final common form makes no mention of SBOMs or the potential for an agency to mandate third party assessment. The only mention of artifacts is bracketed language at the end of the form, unchanged from the draft, which provides for optional attachment of an artifact or addendum.