On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form. Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons. First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers. Second, as set forth under OMB guidance, final approval of the form by the Office of Information and Regulatory Affairs (OIRA) triggers a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.
As we described in more detail in a prior post, OMB issued a memorandum in September 2022 that directed federal agencies to collect attestations from software developers that those developers adhere to certain secure software development practices described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance (discussed here) (collectively, “NIST Guidance”). “Software” is very broadly defined to include “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.” Covered software includes software that was developed or that underwent a major version change after September 14, 2022, as well as software that undergoes continuous updating. OMB indicated in the memorandum that agencies would use a “common form” to collect these attestations.
Although the requirements were initially slated to go into effect last year, OMB delayed the implementation in a subsequent memorandum that it issued in June 2023, which we discussed in another post. As a result of the June 2023 memorandum, agencies are not required to comply with the requirements until a certain period after the common form was approved by OIRA. Specifically, agencies must collect attestations for software developers within three months of the form’s approval for “critical” software, and within six months of the form’s approval and all other software within six months of the form’s approval.
Plan of Action and Milestones (POA&Ms) are permitted under the current guidance, but acceptance of the POA&M is within an agency’s discretion, and agencies must specifically request extension of the deadline for attestation from OMB for that piece of software. Agencies may also, in their discretion, choose to require the provision of additional materials, including software bills of materials (SBOMs).
OMB has not released any updated guidance relating to secure software as of yet, and while an implementing FAR rule appears to be nearing completion of the interagency drafting and development process, it has not been released either. Nonetheless, the conditions set forth in the June 2023 memorandum to start the three and six month clocks have now been met.
Accordingly, software developers that sell products for end use by the U.S. Government are highly encouraged to assess their current state of compliance relative to the secure development practices now to identify any potential gaps that could cause concerns with customers and to begin addressing them. Contractors are also encouraged to begin documenting the basis for the attestations that they will be required to make.