Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Alexander UrbelisPhoto of Maida Oringher LernerPhoto of Jacob Harrison

On April 28, 2023 the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited draft Secure Software Development Self-Attestation Form.  The form is a key component of the mandatory software supply chain security requirements introduced by last fall in Office of Management and Budget (OMB) Memorandum M-22-18. The Form requires certain software developers to attest to specific security elements of their software development life cycle (SDLC) and their development environment. 

Background

In May 2021, the Biden Administration issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.”  The EO directed the federal government to prioritize software supply chain security, including by creating secure software development practices for federal software acquisitions.  Pursuant to the EO, in February 2022 the National Institute of Standards and Technology (NIST) published NIST Special Publication 800-­218 and the NIST Software Supply Chain Security Guidance (collectively, the NIST Secure Software Development Framework, or NIST SSDF), providing software development-focused security controls and best practices for federal agencies and their commercial software partners. 

OMB Memorandum M-22-18, published on September 14, 2022, requires companies providing software to the federal government to complete the self-attestation form to certify that they comply with the NIST SSDF controls and guidance whenever third-party software is used on government information systems or otherwise affects government information. 

Self-Attestation Form Overview

CISA’s draft self-attestation form clarifies the minimum requirements that software developers must meet to comply with the Memorandum.  Individual agencies may supplement the common form’s requirements, but any additional agency-specific requirements must be approved by OMB before taking effect. 

Importantly, as an alternative to self-attestation, a developer may engage a certified FedRAMP third-party assessor organization (3PAO) to confirm that its software complies with the NIST SSDF.

Who Must Provide a Self-Attestation Form?

CISA clarifies that attestations are required for the following categories of software:

  • Software developed after September 14, 2022;
  • Existing software that is modified by major version changes after September 14, 2022; and
  • Software to which the developer delivers continuous changes to the software code (e.g., software-as-a-service (SaaS) offerings or other products using continuous delivery/continuous deployment). 

Critically, the third category represents an expansion in scope from the Memorandum, which only mentioned the first two categories of software.

CISA also lists exemptions where attestations are not required:

  • software developed by federal agencies; and
  • software that is freely obtained (e.g. freeware, open source) directly by a federal agency.

To What are Software Developers Attesting?

The common form identifies four core secure development attestation areas, based on the security requirements in EO 14028 and the NIST SSDF.  By submitting the common form, software developers will be attesting that:

  • Their software was developed and built in secure environments;
  • They have made a good-faith effort to maintain trusted source code supply chains;
  • They maintain data provenance for internal and third-party code incorporated into the software; and
  • They employ automated tools or comparable processes that check for security vulnerabilities.

The form provides citations to specific SSDF controls and guidance pertinent to each area and associated sub-areas, allowing software developers to identify and implement crucial controls ahead of their attestation deadline.

Software developers should ensure they are confident in their company’s compliance with NIST SP 800-218 prior to submitting their self-attestation in light of the government’s laser focus on cybersecurity enforcement.  The Department of Justice’s Civil Cyber Fraud Initiative continues to bring False Claims Act (FCA) actions in response to inaccurate cybersecurity representations, which could be implicated by companies’ incorrect self-assessments of the SSDF. 

When are Attestations Due?

CISA has not modified the attestation deadlines set forth in OMB Memorandum M-22-18.  Per the Memorandum, attestations are due:

  • June 12, 2023 for “critical software,” defined as “standalone, on-premise software that performs security-critical functions or poses similar significant potential for harm if compromised” (e.g. network control or security logging software); and
  • September 14, 2023 for all other software.

Next Steps for Federal Government Software Suppliers

With attestation deadlines looming, software developers may consider the following next steps:

  • Convene a corporate software compliance team that includes legal, software development and leadership stakeholders;
  • Review the NIST SP 800-218 practices and tasks as well as the draft Self-Attestation Form;
  • Review OMB Memorandum M-21-30 to determine if any software an organization develops could be viewed as ‘critical;’ 
  • Engage an independent third-party, preferably under legal privilege, to complete a NIST SP 800-218 assessment of the organization’s SDLC and development environment; and
  • Develop a plan of action and milestones for any identified gaps.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Alexander Urbelis Alexander Urbelis

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer…

Alex Urbelis is a senior counsel in the New York office and a member of the Privacy & Cybersecurity Group. Alex has more than 20 years of experience in the information security community and has varied experience as a Chief Information Security Officer (CISO), Chief Compliance Officer, in-house counsel, and private practice litigator.

Alex has a unique skill set that has allowed him to create a bridge between the technical and legal side of cybersecurity. As a result, he is the primary architect of an exclusive DNS (Domain Name Search) monitoring and intelligence platform. Through this intel platform, Alex advises his clients on identified and early-stage indicators of cybersecurity threats and provides counsel on legal actions and technical defensive remedies to neutralize those threats. Alex tracks sophisticated cyber adversaries and advanced persistent threats (APTs) through his intel platform and, notably, detected a state-sponsored cyber intrusion attempt targeting the World Health Organization in March 2020. For combining legal and technical skill sets with public service, the Financial Times selected Alex as a finalist for its Innovative Lawyers awards for pandemic response in 2020.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.