Federal Secure Software Attestation Deadlines Pushed Back
6/13/2023
If you are a federal contractor providing software to the government, you have a little more time before needing to submit security forms to federal agencies. The deadline for agencies to commence collecting software security attestation forms from contractors is being extended by the White House Office of Management and Budget (OMB).
In a memo published 6/9/2023, the OMB instructs agencies to initiate the collection of attestations for “critical software” no later than three months after the completion of the Cybersecurity and Infrastructure Security Agency’s (CISA) common attestation form, in accordance with the Paperwork Reduction Act.
After the form’s finalization, agencies are granted a six-month period to begin collecting attestations for all third-party software that falls within OMB’s security requirements. Previously, the deadlines for attestation form collection, as stated in a White House memo released in September of last year, were June 12th for critical software and September 14th for all software.
The completion date for the secure attestation form is currently unknown. In April, CISA released a draft version of the “Secure Software Self-Attestation Form,” which is expected to be utilized by all agencies. CISA is actively seeking feedback on the form until June 26. However, the timing of the draft form’s release has led to speculation regarding whether the original deadlines set by the OMB will remain intact.
The form holds significant importance in the Biden administration’s efforts to ensure that agencies exclusively employ securely developed software. It mandates software vendors to complete the form and self-attest to adhering to secure development practices outlined by the National Institute of Standards and Technology (NIST).
These requirements are a result of the cybersecurity executive order issued in May 2021 and are aimed at enhancing security measures following the 2020 incident in which numerous agencies and large corporations fell victim to a breach through malicious code inserted into SolarWinds software. Upon finalization, the form is expected to be utilized by government agencies to fulfill the OMB requirements. The form will necessitate the signature of a company’s CEO, CSO, or a designated employee.
In the recent extension of deadlines, the OMB has provided several clarifications regarding the approach agencies should take towards the secure software requirements. One important clarification is that agencies are only required to collect attestations from the “producer of the software end product.” This is because the producing organization is deemed to be in the best position to ensure the security of the software.
Consequently, agencies are not obligated to collect attestations from producers of third-party software components that are incorporated into the software end-product used by the agency. This applies to both third-party open-source and proprietary components. A component, regardless of being open source or proprietary, is considered a “third-party” component only if it was developed by an entity other than the producer of the software end-product into which it is integrated. Also, the clarification states that agencies are not obligated to collect attestations for proprietary products that are “freely obtained and publicly available.”
The memo explains that a significant number of core software apps which federal agencies must have access to, are offered freely to the public. Given that users of such software have no negotiating power with the producer, it’s infeasible for agencies to obtain attestations from the producers. Nonetheless, agencies are still required to assess the risks associated with utilizing such software and take appropriate measures to mitigate or eliminate identified risks.
In addition, software developed by the agency itself is not subject to the attestation requirements. However, the memo clarifies that contracting agencies must ensure that software developed under a federal contract adheres to the Secure Software Development Framework outlined by NIST.
In cases where there are doubts about whether software developed by federal contractors should be considered agency-developed, the determination must be made by agency Chief Information Officers (CIOs) on behalf of the agency. The memo says that agency CIOs are best positioned to evaluate whether the agency’s specifications and oversight of contract performance meet the standard.
If you provide software or IT services to the federal or local government, EZGovOpps is a great resource for competitive information such as scope, incumbent, task order history, and other data. Sign up for a 5-day trial today.