Secure software development attestation is a must for businesses supplying software to federal agencies. Continue reading to learn more.
June 12, 2023, was a due date for companies providing critical software to Federal agencies to complete a self-attestation form and confirm they comply with the NIST Secure Software Development Framework (SSDF). The due date for all other software developers is September 14, 2023.
What is critical software? What does the NIST SSDF stand for? Why conduct self-attestation and who needs it? Continue reading to answer these and other related questions.
The demand to follow the SSDF did not appear from nowhere. It was preceded by several important events in a legal environment:
First, Biden’s Executive Order 14028, Improving the Nation’s Cybersecurity was issued in May 2021. The executive order directed the Federal Government to prioritize software supply chain security. This involves establishing secure practices for developing software for federal use.
Second, the NIST Special Publication 800-218 The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities and the NIST Software Supply Chain Security Guidance were issued in, February 2022. Together, these documents create the NIST Secure Software Development Framework (NIST SSDF). From that time, federal agencies and their commercial software partners received a set of security controls and best practices required for secure software development.
Third, the Office of Management and Budget (OMB) Memorandum M-22-18 was issued in September, 2022. The memo requires companies supplying software to the Federal Government to complete the self-attestation form to certify that they comply with the NIST SSDF controls and guidance whenever third-party software is used on government information systems or otherwise affects government information.
Finally, the Secure Software Development Self-Attestation Form by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) was released in April 2023. The form requires software developers to attest to security elements of their software development life cycle (SDLC).
EO-critical software is a software that performs security-critical functions or poses similar significant potential for harm if compromised. Being directed by Executive Order 14028, CISA developed a list of software categories and products which meet this definition of critical software, including
According to CISA, attestations are required for the following categories of software:
Attestations are not required when software is developed by federal agencies or is freely obtained (e.g. freeware, open source) directly by a federal agency.
The self-attestation form identifies four core secure development attestation areas, based on the security requirements in EO 14028 and the NIST SSDF. By submitting the common form, software developers are attesting that:
Importantly, Federal agencies may supplement the common form’s requirements, but any additional agency-specific requirements must be approved by the Office of Management and Budget (OMB).
Importantly, as an alternative to self-attestation, a developer may engage a certified FedRAMP third-party assessor organization (3PAO) to confirm that its software complies with the NIST SSDF.
Thus, the software developers should ensure their company’s compliance with NIST SP 800-218 prior to submitting self-attestation. The secure software development attestation form must be signed by the Chief Executive Officer of the software producer or their designee. By signing, they attest that the software complies with secure software development practices. You can complete this form in a digital format located on the agency website or by emailing the completed PDF. Federal agencies may use the software once they have received an appropriately signed copy of the form.
Completing the assessment may be burdensome for software developers, so consider engaging third parties to make the process go smoother. Feel free to contact the Planet 9 team for help with the assessment. We’ll be happy to assist!