General Information Company Information Create My Account

Free 5-day trial.

Once you sign-up, you can add 4 additional team members within your EZGovOpps Portal. If you have a team member that already has an EZGovOpps account, ask them to get add you. If you sign-up for your own trial you will not be able to experience the extensive collaboration tools that are available within EZGovOpps.

First name:

Last name:

Title:

Email:

Phone:

Company Information

Company:


Primary NAICS:


Postal Code:


Employees:

How did you hear about EZGovOpps?:
If your selection has a * symbol,please
share more details as to your selected choice


Do you have a unique socio economic status?:
Small Business
Total Small Business
Hubzone
WOSB
8(a)
Emerging Small Business
VOSB
SDVOSB
Economically Disadvantaged WOSB


Is your company registered with the Federal Government (Sam.gov)?:
Yes
No
Not Sure

Create Account

Referred By:



Your trial will expire at Midnight on .



I agree to the EZGovOpps Terms of Service
    Terms and Conditions
I am also interested in SLED (State, Local and Educational) opportunities. Please create credentials for the SLED portal for me

Congratulations! Your 5-Day free trial awaits.

Your activation email should arrive in a few minutes.
If you don't see it, please check Spam/Clutter.

Step 1) Validate Sign-Up via Email Step 2) Login to EZGovOpps Step 3) Experience EZGovOpps free!
Need assistance? EZGovOpps Ultimate Member Support can be reached by email at support@ezgovopps.com

Schedule a personalized demo to enhance your evalution.

EZGovOpps Member Portal Secure Log In

Enter your email address and we will send you password reset instructions.

Get started with your free 5 day trial.

Federal Secure Software Attestation Deadlines Pushed Back

Federal Secure Software Attestation Deadlines Pushed Back

6/13/2023

If you are a federal contractor providing software to the government, you have a little more time before needing to submit security forms to federal agencies. The deadline for agencies to commence collecting software security attestation forms from contractors is being extended by the White House Office of Management and Budget (OMB).

In a memo published 6/9/2023, the OMB instructs agencies to initiate the collection of attestations for “critical software” no later than three months after the completion of the Cybersecurity and Infrastructure Federal software attestation Security Agency’s (CISA) common attestation form, in accordance with the Paperwork Reduction Act.

After the form’s finalization, agencies are granted a six-month period to begin collecting attestations for all third-party software that falls within OMB’s security requirements. Previously, the deadlines for attestation form collection, as stated in a White House memo released in September of last year, were June 12th for critical software and September 14th for all software.

The completion date for the secure attestation form is currently unknown. In April, CISA released a draft version of the “Secure Software Self-Attestation Form,” which is expected to be utilized by all agencies. CISA is actively seeking feedback on the form until June 26. However, the timing of the draft form’s release has led to speculation regarding whether the original deadlines set by the OMB will remain intact.

The form holds significant importance in the Biden administration’s efforts to ensure that agencies exclusively employ securely developed software. It mandates software vendors to complete the form and self-attest to adhering to secure development practices outlined by the National Institute of Standards and Technology (NIST).

These requirements are a result of the cybersecurity executive order issued in May 2021 and are aimed at enhancing security measures following the 2020 incident in which numerous agencies and large corporations fell victim to a breach through malicious code inserted into SolarWinds software. Upon finalization, the form is expected to be utilized by government agencies to fulfill the OMB requirements. The form will necessitate the signature of a company’s CEO, CSO, or a designated employee.

In the recent extension of deadlines, the OMB has provided several clarifications regarding the approach agencies should take towards the secure software requirements. One important clarification is that agencies are only required to collect attestations from the “producer of the software end product.” This is because the producing organization is deemed to be in the best position to ensure the security of the software.

Software development, сode review. Quality Control.Consequently, agencies are not obligated to collect attestations from producers of third-party software components that are incorporated into the software end-product used by the agency. This applies to both third-party open-source and proprietary components. A component, regardless of being open source or proprietary, is considered a “third-party” component only if it was developed by an entity other than the producer of the software end-product into which it is integrated. Also, the clarification states that agencies are not obligated to collect attestations for proprietary products that are “freely obtained and publicly available.”

The memo explains that a significant number of core software apps which federal agencies must have access to, are offered freely to the public. Given that users of such software have no negotiating power with the producer, it’s infeasible for agencies to obtain attestations from the producers. Nonetheless, agencies are still required to assess the risks associated with utilizing such software and take appropriate measures to mitigate or eliminate identified risks.

In addition, software developed by the agency itself is not subject to the attestation requirements. However, the memo clarifies that contracting agencies must ensure that software developed under a federal contract adheres to the Secure Software Development Framework outlined by NIST.

In cases where there are doubts about whether software developed by federal contractors should be considered agency-developed, the determination must be made by agency Chief Information Officers (CIOs) on behalf of the agency. The memo says that agency CIOs are best positioned to evaluate whether the agency’s specifications and oversight of contract performance meet the standard.

If you provide software or IT services to the federal or local government, EZGovOpps is a great resource for competitive information such as scope, incumbent, task order history, and other data. Sign up for a 5-day trial today.

 

Leave a Reply