Security standards

Industry Council Urges OMB to Explain Cybersecurity Self-Attestation Rules for Software Vendors

The Information Technology Industry Council has sent a letter to Shalanda Young, director of the Office of Management and Budget, urging clarification on upcoming self-attestation requirements for third-party software products sold to the government. The petition called for a standardized rollout and request form across federal agencies and a pilot run for the collection of attestations and artifacts, FedScoop reported.

ITI is a trade group representing large companies such as Google, Microsoft, Amazon and Oracle. It joined other business associations in an April letter to Congress advocating for at least $300 million to be allocated to the Technology Modernization Fund for fiscal year 2023, arguing that such a move would advance government-wide cybersecurity goals such as zero trust.

In 2020, the council issued a policy recommendation that called for the consideration of alternatives to the Cybersecurity Maturity Model Certification program and other accreditation requirements for software vendors. One suggestion was self-attestation, which ITI argued was supported by international standards.

OMB is working with the Cybersecurity and Infrastructure Security Agency to craft a self-attestation form for suppliers as part of a mandate by the Biden administration. Software vendors are required to comply with security rules set by the National Institute of Standards and Technology.