On April 28, 2023 the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited draft Secure Software Development Self-Attestation Form. The form is a key component of the mandatory software supply chain security requirements introduced by last fall in Office of Management and Budget (OMB) Memorandum M-22-18. The Form requires certain software developers to attest to specific security elements of their software development life cycle (SDLC) and their development environment.
Background
In May 2021, the Biden Administration issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity.” The EO directed the federal government to prioritize software supply chain security, including by creating secure software development practices for federal software acquisitions. Pursuant to the EO, in February 2022 the National Institute of Standards and Technology (NIST) published NIST Special Publication 800-218 and the NIST Software Supply Chain Security Guidance (collectively, the NIST Secure Software Development Framework, or NIST SSDF), providing software development-focused security controls and best practices for federal agencies and their commercial software partners.
OMB Memorandum M-22-18, published on September 14, 2022, requires companies providing software to the federal government to complete the self-attestation form to certify that they comply with the NIST SSDF controls and guidance whenever third-party software is used on government information systems or otherwise affects government information.
Self-Attestation Form Overview
CISA’s draft self-attestation form clarifies the minimum requirements that software developers must meet to comply with the Memorandum. Individual agencies may supplement the common form’s requirements, but any additional agency-specific requirements must be approved by OMB before taking effect.
Importantly, as an alternative to self-attestation, a developer may engage a certified FedRAMP third-party assessor organization (3PAO) to confirm that its software complies with the NIST SSDF.
Who Must Provide a Self-Attestation Form?
CISA clarifies that attestations are required for the following categories of software:
- Software developed after September 14, 2022;
- Existing software that is modified by major version changes after September 14, 2022; and
- Software to which the developer delivers continuous changes to the software code (e.g., software-as-a-service (SaaS) offerings or other products using continuous delivery/continuous deployment).
Critically, the third category represents an expansion in scope from the Memorandum, which only mentioned the first two categories of software.
CISA also lists exemptions where attestations are not required:
- software developed by federal agencies; and
- software that is freely obtained (e.g. freeware, open source) directly by a federal agency.
To What are Software Developers Attesting?
The common form identifies four core secure development attestation areas, based on the security requirements in EO 14028 and the NIST SSDF. By submitting the common form, software developers will be attesting that:
- Their software was developed and built in secure environments;
- They have made a good-faith effort to maintain trusted source code supply chains;
- They maintain data provenance for internal and third-party code incorporated into the software; and
- They employ automated tools or comparable processes that check for security vulnerabilities.
The form provides citations to specific SSDF controls and guidance pertinent to each area and associated sub-areas, allowing software developers to identify and implement crucial controls ahead of their attestation deadline.
Software developers should ensure they are confident in their company’s compliance with NIST SP 800-218 prior to submitting their self-attestation in light of the government’s laser focus on cybersecurity enforcement. The Department of Justice’s Civil Cyber Fraud Initiative continues to bring False Claims Act (FCA) actions in response to inaccurate cybersecurity representations, which could be implicated by companies’ incorrect self-assessments of the SSDF.
When are Attestations Due?
CISA has not modified the attestation deadlines set forth in OMB Memorandum M-22-18. Per the Memorandum, attestations are due:
- June 12, 2023 for “critical software,” defined as “standalone, on-premise software that performs security-critical functions or poses similar significant potential for harm if compromised” (e.g. network control or security logging software); and
- September 14, 2023 for all other software.
Next Steps for Federal Government Software Suppliers
With attestation deadlines looming, software developers may consider the following next steps:
- Convene a corporate software compliance team that includes legal, software development and leadership stakeholders;
- Review the NIST SP 800-218 practices and tasks as well as the draft Self-Attestation Form;
- Review OMB Memorandum M-21-30 to determine if any software an organization develops could be viewed as ‘critical;’
- Engage an independent third-party, preferably under legal privilege, to complete a NIST SP 800-218 assessment of the organization’s SDLC and development environment; and
- Develop a plan of action and milestones for any identified gaps.