On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form.  Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons.  First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers.  Second, as set forth under OMB guidance, final approval of the form by the Office of Information and Regulatory Affairs (OIRA) triggers a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.

As we described in more detail in a prior post, OMB issued a memorandum in September 2022 that directed federal agencies to collect attestations from software developers that those developers adhere to certain secure software development practices described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance (discussed here) (collectively, “NIST Guidance”).  “Software” is very broadly defined to include “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”  Covered software includes software that was developed or that underwent a major version change after September 14, 2022, as well as software that undergoes continuous updating.  OMB indicated in the memorandum that agencies would use a “common form” to collect these attestations. 

Although the requirements were initially slated to go into effect last year, OMB delayed the implementation in a subsequent memorandum that it issued in June 2023, which we discussed in another post.  As a result of the June 2023 memorandum, agencies are not required to comply with the requirements until a certain period after the common form was approved by OIRA.  Specifically, agencies must collect attestations for software developers within three months of the form’s approval for “critical” software, and within six months of the form’s approval and all other software within six months of the form’s approval. 

Plan of Action and Milestones (POA&Ms) are permitted under the current guidance, but acceptance of the POA&M is within an agency’s discretion, and agencies must specifically request extension of the deadline for attestation from OMB for that piece of software.  Agencies may also, in their discretion, choose to require the provision of additional materials, including software bills of materials (SBOMs). 

OMB has not released any updated guidance relating to secure software as of yet, and while an implementing FAR rule appears to be nearing completion of the interagency drafting and development process, it has not been released either.  Nonetheless, the conditions set forth in the June 2023 memorandum to start the three and six month clocks have now been met. 

Accordingly, software developers that sell products for end use by the U.S. Government are highly encouraged to assess their current state of compliance relative to the secure development practices now to identify any potential gaps that could cause concerns with customers and to begin addressing them.  Contractors are also encouraged to begin documenting the basis for the attestations that they will be required to make.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Huffman Robert Huffman

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance…

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national…

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and federal supply chain security. Ryan also advises on government cost accounting, FAR and DFARS compliance, public policy matters, and agency disputes. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.