The General Services Administration (GSA) said it will begin collecting attestation letters as part of pre- and post-award contract deliverables by June 12 for all software – regardless of whether the product is considered critical.
The agency said that collecting the letters of attestation from vendors GSA works with will help implement an Office of Management and Budget (OMB) memo that requires Federal agencies to only use software that complies with government-specified secure software development practices.
Requirements for software vendors working with government to attest to the safety of their products was also included in the Biden Administration’s May 2021 cyber executive order.
“To comply with Executive Order 14028 and OMB Memorandum M-22-18,” the agency wrote, “GSA IT will update its processes to approve software including requiring vendor attestations.”
It added, “GSA IT anticipates issuing an updated attestation process by June 12, 2023.”
GSA will use a common form provided by the Cybersecurity and Infrastructure Security Agency (CISA) to collect the letters, which it expects will be available before June.
The agency’s letter – Ensuring Only Approved Software is Acquired and Used at GSA – said contracting activities must update GSA-administered indefinite delivery vehicles “to allow, but not require, contractors to provide attestations.”
The Federal Acquisition Council is currently considering a rule change that would embed the requirement for software providers to attest to the security of their products within the Federal Acquisition Regulation.