CISA Seeking Comments on Draft Attestation Form for Software Providers

The Cybersecurity and Infrastructure Security Agency has released a draft attestation form that software providers will have to sign to confirm that their products comply with the National Institute of Standards and Technology’s supply chain security requirements.

CISA is asking the industry to submit feedback on the document by June 26. The form was created in partnership with the Office of Management and Budget and was based on NIST’s Secure Software Development Framework, FedScoop reported.

The draft attestation form was published after the OMB issued a memo in September 2022 requiring federal agencies to make sure they are using SSDF-compliant third-party software. It also comes after the release of a new national cybersecurity strategy that aims to hold software makers liable for security flaws in their products.

According to a procurement memo released in January, the General Services Administration will begin collecting signed forms from software providers working with government agencies in mid-June.