Secure Software Development Attestation 

Secure software development attestation is a must for businesses supplying software to federal agencies. Continue reading to learn more. 

June 12, 2023, was a due date for companies providing critical software to Federal agencies to complete a self-attestation form and confirm they comply with the NIST Secure Software Development Framework (SSDF). The due date for all other software developers is September 14, 2023.

What is critical software? What does the NIST SSDF stand for? Why conduct self-attestation and who needs it? Continue reading to answer these and other related questions.

Background

The demand to follow the SSDF did not appear from nowhere. It was preceded by several important events in a legal environment: 

First, Biden’s Executive Order 14028, Improving the Nation’s Cybersecurity was issued in May 2021. The executive order directed the Federal Government to prioritize software supply chain security. This involves establishing secure practices for developing software for federal use.

Second, the NIST Special Publication 800-­218 The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities  and the NIST Software Supply Chain Security Guidance were issued in, February 2022. Together, these documents create the NIST Secure Software Development Framework (NIST SSDF). From that time, federal agencies and their commercial software partners received a set of security controls and best practices required for secure software development.

Third, the Office of Management and Budget (OMB) Memorandum M-22-18 was issued in September, 2022. The memo requires companies supplying software to the Federal Government to complete the self-attestation form to certify that they comply with the NIST SSDF controls and guidance whenever third-party software is used on government information systems or otherwise affects government information. 

Finally, the Secure Software Development Self-Attestation Form by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) was released in April 2023. The form requires software developers to attest to security elements of their software development life cycle (SDLC). 

What is the EO-Critical Software?

EO-critical software is a software that performs security-critical functions or poses similar significant potential for harm if compromised. Being directed by Executive Order 14028, CISA developed a list of software categories and products which meet this definition of critical software, including

• software that controls access to data;
• cloud-based and hybrid software;
• software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software;
• software components in boot-level firmware; or
• software components in operational technology (OT).

Who Needs a Secure Software Development Attestation?

According to CISA, attestations are required for the following categories of software:

• Software developed after September 14, 2022;
• Existing software that is modified by major version changes after September 14, 2022; and
• Software to which the developer delivers continuous changes to the software code (e.g., software-as-a-service (SaaS) offerings or other products using continuous delivery/continuous deployment). 

Attestations are not required when software is developed by federal agencies or is freely obtained (e.g. freeware, open source) directly by a federal agency.

To What Are Software Developers Attesting?

The self-attestation form identifies four core secure development attestation areas, based on the security requirements in EO 14028 and the NIST SSDF.  By submitting the common form, software developers are attesting that:

• Their software was developed and built in secure environments. According to this attestation requirement, software developers must protect each environment involved in developing and building software, maintain authorization policies, access controls, data encryption, continuous monitoring activities, etc.
• They have made a good-faith effort to maintain trusted source code supply chains. This can be achieved by employing automated tools, addressing the security of third-party components, and managing related vulnerabilities;
• They maintain data provenance for internal and third-party code incorporated into the software; and
• They employ automated tools or comparable processes that check for security vulnerabilities. The developers must ensure these processes operate on an ongoing basis, address discovered security vulnerabilities prior to product release, and address disclosed software vulnerabilities in a timely fashion.

Importantly, Federal agencies may supplement the common form’s requirements, but any additional agency-specific requirements must be approved by the Office of Management and Budget (OMB). 

Importantly, as an alternative to self-attestation, a developer may engage a certified FedRAMP third-party assessor organization (3PAO) to confirm that its software complies with the NIST SSDF.

Finally

Thus, the software developers should ensure their company’s compliance with NIST SP 800-218 prior to submitting self-attestation. The secure software development attestation form must be signed by the Chief Executive Officer of the software producer or their designee. By signing, they attest that the software complies with secure software development practices. You can complete this form in a digital format located on the agency website or by emailing the completed PDF. Federal agencies may use the software once they have received an appropriately signed copy of the form.

Completing the assessment may be burdensome for software developers, so consider engaging third parties to make the process go smoother. Feel free to contact the Planet 9 team for help with the assessment. We’ll be happy to assist!

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646