OMB Issues Extension for Collection of Software Cybersecurity Attestation

The Office of Management and Budget issued on Friday a memorandum extending the deadline for U.S. federal agencies to start collecting software security attestation forms from contractors. Agencies were originally given until June 12 to collect the forms for critical software and until Sept. 14 for all other software.

The latest memo anchors the extension period to the time when the Cybersecurity and Infrastructure Security Agency finalizes the common attestation form, although no date has been set for when CISA will complete its work.

Once that common form is finalized, agencies will have a three-month collection period for critical software and a six-month collection period for all other software, Federal News Network reported.

The new memo also now excludes open-source software from the attestation requirement. An option to submit a plan of action and milestones has also been made available for companies that are not able to provide attestation letters immediately.