A Brief History of Secure Software Development Attestation
Benji Visser, CTO
What a mouthful! The U.S. government has drafted new requirements for federal vendors, focusing on the security and integrity of their software supply chains. Key among these is the "Secure Software Development Attestation Form," mandating vendors confirm their adherence to secure development best practices. In this article, we’ll break apart the requirements, how the form came to be, and explain how they impact businesses selling to the U.S government.
Please note that the information provided here is based on the latest draft of the Secure Software Development Attestation Form from Nov 16, 2023. The Attestation Form hasn't been finalized yet.
Secure Software Development Attestation Form
The Secure Software Development Attestation Form (the “Attestation Form”) was released by CISA on November 16, 2023. The Attestation Form identifies the minimum secure software development requirements software producers must meet, focusing specifically on the software supply chain.
Key requirements for vendors include:
- Ensuring the locations they build and package their software are just as secure as their production environment and have similar minimum access requirements, MFA, regular logging, encryption of sensitive data, and continuous monitoring.
- Making an effort, in good-faith, to maintain trusted software supply chains, which includes open-source software components. This encompasses using current, non-end-of-life software, employing digital signatures for software integrity verification, and gathering provenance data for components in their Software Bill of Materials (SBOM).
This attestation form will require the CEO/COO of the software vendor or a FedRAMP third-party assessor organization (3PAO) to sign the attestation confirming the vendor satisfies the requirements. This is crucial as it ensures top-level accountability and oversight.
Who Does it Affect?
Federal agencies will be required to obtain a completed Attestation Form from their software vendors for the following categories of software:
- Software developed after September 14, 2022;
- Existing software that is modified by major version changes after September 14, 2022; and,
- SaaS providers or other offerings using continuous delivery/continuous deployment.
Attestation Form History
How did the Attestation Form come to be? The first executive order around software supply chain security was Executive Order 14028. This was signed by President Biden on May 12, 2021 and outlined the need for bold changes and significant investment in order to defend Federal Information Systems. It made baseline security standards for development of software sold to the government.
The baselines exist, but how are they rolled out? It employed two key government agencies to ensure the executive order was effective: NIST and OMB.
NIST
The National Institute of Standards and Technology (NIST) was tasked with developing new standards around cybersecurity within a specified period of time after the Executive Order (EO) was released. In response, NIST released the NIST Software Supply Chain Security Guidance (the “Guidance”) and the Secure Software Development Framework (SSDF).
The Guidance explained the NIST plan of action for responding to the EO, and the SSDF provided a set of fundamental secure development practices that organizations can implement.
OMB
The Director of the Office of Management and Budget (OMB) was tasked with making sure that agencies are complying with the Guidance outlined by NIST. In response, they released memorandums M-22-18 and M-23-16 and the Secure Software Development Attestation Form in collaboration with CISA.
M-22-18: Requires all agencies to obtain a self-attestation form from the software producer, confirming their compliance with the NIST Guidance and the NIST SSDF.
M-23-16: Reinforces the requirements of M-22-18 and extends the timelines for agencies to collect Attestation Forms from software producers. Additionally, M-23-16 ntroduced the option to engage a FedRAMP third-party assessor organization (3PAO) to sign the Attestation Form instead of CEO/COO signoff.
How is it going so far? The General Services Administration has already started collecting letters of attestation from software vendors it works with, as of June 2023.
Risks of Noncompliance
Software vendors who don't submit the necessary Attestation Form might risk their current federal contracts. The General Services Administration (GSA), in a January 2023 memo, highlighted that software not complying with GSA IT Standards will be disapproved, leading to a halt in contract renewals or extensions and necessitating re-procurement of the requirement.
Additionally, vendors issuing false attestations could face substantial legal consequences. The draft of the Attestation Form mentions that “[w]illfully providing false or misleading information may constitute a violation of 18 U.S.C. § 1001, a criminal statute”.
When does it start?
The M-23-16 memorandum and the Secure Software Development Attestation Form document don’t provide any indication of when the Attestation Form will be finalized. But per M-23-16, once the Attestation Form is finalized, federal agencies must collect attestations for all in-scope software within 6 months.