On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.
Attestation Form Applicability and Content
The Attestation Form broadly requires software producers and suppliers of products containing software to affirm that their software development practices for in-scope software conform with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-218 and the NIST Software Supply Chain Security Guidance.
Per OMB M-22-18 and M-23-16, Attestation Forms will be required from producers of third-party software used by federal agencies if the software:
- is developed after September 14, 2023;
- is modified by major version changes after September 14, 2022; or
- is software to which the developer delivers continuous changes to the software code (e.g., software-as-a-service (SaaS) offerings or other products using continuous delivery/continuous deployment).
“Software” subject to attestation includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.
Attestation Deadline
M-23-16 explained that Attestation Form submissions would be due:
- for “critical software,”[1] no later than three months following OMB approval of the Attestation Form under the Paperwork Reduction Act (PRA), or
- for all other in-scope software, no later than six months following OMB PRA approval.
OMB apparently provided PRA approval on March 8, 2024, suggesting that the respective submission deadlines will fall three and six months after that date. Separately, CISA published the Attestation Form on March 11 but has yet to confirm the submission deadlines. Crowell continues to monitor updates from OMB and CISA, and we will update this alert when the Attestation Form submission deadlines are confirmed.
Attachments
[1] As defined in OMB Memorandum M-21-30.