Software security

OMB, CISA to Release Standardized Self-Attestation Form for Software Providers

The Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency are developing a standardized form that software providers will use to certify their compliance with the National Institute of Standards and Technology’s Secure Software Development Framework.

Speaking at an event hosted by the Alliance for Digital Innovation, Chris DeRusha, federal chief information security officer for OMB, said the self-attestation form is expected to be released in the coming days to ensure federal agencies procure and implement SSDF-compliant third-party software, FCW reported.

In September 2022, the OMB issued a memo requiring all federal agencies to obtain self-attestation forms from third-party software vendors before using their products. The forms are also required prior to software renewals and major version changes.

According to the memo, an acceptable self-attestation includes the software producer’s name, a description of the product being sold to federal agencies and a statement attesting that the software producer follows secure development practices. The memo noted that agencies may require vendors that submitted self-attestation documents to undergo a third-party assessment due to the criticality of the service or product being acquired.

The White House has given agencies until June to begin collecting self-attestation forms from critical software providers. Forms from all software providers should be obtained by Sept. 14.