CISA to Create Cybersecurity Self-Attestation Form for Third-Party Technology Providers
CISA will work with the Office of Management and Budget to create a form that agencies will use to show that software vendors have attested that their offerings conform to the National Institute of Standards and Technology security guidelines. The self-attestation form is meant to reduce the burden on contractors when it comes to proving security compliance.
CISA will have 120 days to create the form, FedScoop reported.
The self-attestation form is part of new cybersecurity guidelines that the Biden administration released on Wednesday. According to the release, CISA must also establish plans for a government-wide and a full federal interagency repository for software attestations and artifacts.
CISA has a year to establish the government-wide repository and two years for the federal interagency version. The agency will also publish an updated software bill of materials guidance for federal agencies if needed.
According to the White House, federal agencies will have 90 days to create separate inventories for their software and critical software. Agencies will also have 120 days to develop a process for communicating requirements and collecting attestation letters from software providers.
The requirement follows comments from industry executives who said they want the White House to pursue self-attestation for third-party vendors rather than a third-party verification process.
Tags: cybersecurity Cybersecurity and Infrastructure Security Agency cybersecurity guidelines FedScoop National Institute of Standards and Technology Office of Management and Budget software vendors White House