Agencies no longer have to start collecting software security attestation forms from contractors starting June 12, the Office of Management and Budget (OMB) said in a memo released today.
The June 9 memo directs agencies to begin collecting attestations for critical software no later than three months after the Cybersecurity and Infrastructure Security Agency’s (CISA) common attestation form is finalized under the Paperwork Reduction Act.
Agencies have six months from the form’s finalization to start collecting attestations for all third-party software.
The memo today comes just three days before Federal agencies’ previous deadline to start collecting software security attestation letters that was set earlier this year.
Agencies will use a common form provided by CISA to collect the letters, but there isn’t a set date for when the administration is expected to finalize the secure attestation form.
CISA published a draft version of the “Secure Software Self-Attestation Form” expected to be used by all agencies in late April. The agency is accepting comments on the form through June 26.
“Advancing progress toward a technology environment where all software products are safe and secure by design is a top priority for CISA, the broader U.S. government, and the global cybersecurity community,” CISA said in April. The self-attestation form, the agency said, requires software producers serving the government to confirm that they have implanted specific security practices.
CISA added that the draft form was developed “in close consultation with OMB and based upon practices established in the National Institute of Standards and Technology’s Secure Software Development Framework.”
The form is a crucial piece of the Biden administration’s push to ensure agencies only use securely developed software.
Collecting the letters of attestation from vendors that work with agencies will help implement an OMB memo that requires Federal agencies to only use software that complies with government-specified secure software development practices.
Requirements for software vendors working with the government to attest to the safety of their products were also included in the Biden administration’s May 2021 cyber executive order.
In addition to extending the deadlines today, OMB also offered several points to clarify the scope of how agencies should approach the secure software requirements.
“Attestations must be collected from the producer of the software end product used by an agency because the producer of that end product is best positioned to ensure its security,” the memo reads. “An attestation provided by that producer to an agency serves as an affirmative statement that the producer follows the secure software development minimum requirements, as articulated in the common form.”
Additionally, the memo states that agencies are not required to collect attestations from software producers for products that are proprietary but freely obtained and publicly available.
Finally, OMB clarifies that agency-developed software remains outside the scope of the attestation requirements, but that contracting agencies still need to ensure that software developed under a Federal contract follows NIST’s Secure Software Development Framework.