By Prasanna Abeysekera

Companies that develop software for the government are now required to meet the basic standards set out by the CISA to build secure software. Software developers are also required to adhere to additional security procedures detailed in the attestation. The government relies on software; thus, it must be developed safely and tested for weaknesses. Also, developers must disclose known vulnerabilities due to the attestation policy.

The Cybersecurity and Infrastructure Security Agency (CISA) has introduced a form for secure software development attestation.

A secure software development attestation

On March 11th, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) jointly released the Secure Software Development Attestation Form, following extensive engagement with stakeholders and industry.

This form's primary objective is to ensure that software producers that partner with the federal government uphold the minimum secure development techniques and toolsets. It provides submission instructions, including online and email options.

This initiative is part of a broader effort to improve the security of the software supply chain, as directed by Executive Order 14028, "Improving the Nation's Cybersecurity," and OMB Memorandum M-22-18, "Enhancing the Security of the Software Supply Chain through Secure Software Development Practices".

The form requires vendor employees who make the attestation to provide their contact information. The information collected may be disclosed as generally permitted under Executive Order 14028 and Memorandum M-22-18. Failure to provide the requested information may result in the agency not utilising the software.

The Secure Software Development Attestation Form is a significant step in ensuring that software used by agencies is securely developed, thereby enhancing the nation's cybersecurity.

How does this form improve cybersecurity?

The Secure Software Development Attestation Form is crucial in enhancing cybersecurity in various ways.

The form ensures that any software providers partnering with the federal government adhere to a minimum set of secure development techniques and toolsets, standardising security practices and minimising the risk of security vulnerabilities in the software.

The form verifies that software producers have implemented their security practices by requiring them to attest to them. This can identify and address any gaps in security measures.

Furthermore, the form is part of a broader effort to secure the software supply chain. Ensuring software is developed securely from the outset can help prevent security vulnerabilities from being introduced into the supply chain.

The form holds software producers accountable for the security of their products. Failure to provide the requested information may result in the agency ceasing to use the software, providing a strong incentive for compliance.

Increased transparency about software producers' security practices can help agencies make informed decisions about which software products to use.

Overall, the form is a proactive measure to prevent cyber threats and protect critical infrastructure by enhancing the security of software development practices, contributing to improving the nation's cybersecurity.

How does not partnering with the federal government impact vendors about this form?

The Secure Software Development Attestation Form is intended for vendors who work with the federal government. However, it may have an indirect effect on vendors who do not have such partnerships.

Here's how:

• The release of a form to establish industry-wide standards for secure software development could have several positive effects. Vendors who adopt these standards could gain a competitive advantage as customers, including private sector businesses, prefer those who follow secure development practices.
• Additionally, vendors who aspire to partner with the federal government could use the form as a guide to prepare their software development practices.
• The release of the form could also raise awareness about the importance of secure software development, prompting more vendors to review and enhance their security practices.
• It's important to note, however, that the effects of the form would vary depending on the specific circumstances of each vendor. Some vendors might see significant benefits, while others might not be affected at all.
• It's also possible that some vendors might need help in implementing the secure development practices outlined in the form. For instance, small vendors might need assistance with the costs of implementing new security measures.

Ultimately, the impact will depend on various factors, such as the nature of the vendor's business, the types of software they develop, and their existing security practices.

What's the deal with Executive Order 14028?

On May 12, 2021, the President issued Executive Order 14028 titled "Improving the Nation's Cybersecurity." The order directs several agencies, including the National Institute of Standards and Technology (NIST), to implement various initiatives to improve cybersecurity. These initiatives mainly focus on enhancing the security and integrity of the software supply chain.

The order includes critical aspects that must be taken into consideration, such as:

Modernising Cybersecurity Approaches: Federal agencies and their suppliers must modernise their cybersecurity approach by accelerating the move to secure cloud services and implementing a Zero Trust architecture.
Enhancing Software Supply Chain Security: Section 4 of the order directs NIST to gather input from the private sector, academia, government agencies, and others to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security.
Creating Cybersecurity Criteria for Consumer Labeling Programs: NIST is assigned to work on two labelling efforts related to consumer Internet of Things (IoT) devices and consumer software. These efforts aim to encourage manufacturers to produce products that consider cybersecurity risks and capabilities more seriously and inform purchasers about them.

This order represents a significant step towards improving the nation's cybersecurity infrastructure and protecting against increasingly sophisticated cyber threats.

Who is eligible to submit an attestation form?

The Secure Software Development Attestation Form can be submitted by either the software producer's Chief Executive Officer (CEO) or Chief Operating Officer (COO). CISA has recently updated the requirement in the final version of the form, allowing a CEO's designee to sign in place of the CEO.

To be eligible, the person designated to attest to the software must be an employee of the software producer and have the authority to bind the corporation legally. The form is designed to collect contact information from vendor employees who make the attestation. By signing the form, the designated individual confirms that the software in question has been developed in compliance with the secure software development practices outlined within the form. Provide requested information to ensure the agency can use the software.

Legal Disclaimer