The Biden-Harris administration approved a secure software development attestation form on Monday, taking a crucial step towards ensuring Federal contractors provide secure products to the Federal government.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) released the form on March 11, following extensive stakeholder and industry engagement. The form will help to advance a key aspect of President Biden’s 2021 cybersecurity executive order on creating a more secure software supply chain.
“The Biden-Harris administration continues to build on that foundation with the release of the secure software development attestation form – a critical step towards ensuring software producers who work with government provide securely developed products,” Chris DeRusha, Federal CISO and deputy national cyber director, and Eric Goldstein, executive assistant director for cybersecurity at CISA, wrote in a March 11 blog post.
“By ensuring our government uses software products from software producers that leverage best practices for secure development, we not only strengthen the security of the Federal government, but drive improvements for customers across the globe,” they added. “We envision a software ecosystem where our partners in state and local government, as well as in the private sector, also seek these assurances and leverage software that is built to be secure by design.”
The attestation form for software producers is an integral part of an OMB directive issued in September 2022 that requires Federal agencies to take a range of actions to comply with National Institute of Standards and Technology (NIST) guidance on software security.
According to OMB, Federal agencies have six months from the form’s finalization to start collecting attestations for all third-party software.
DeRusha and Goldstein said the move will help reinforce CISA’s secure-by-design principles, which include:
- Taking ownership of security outcomes so the burden of security does not fall solely on the customer;
- Embracing radical transparency and accountability; and
- Building organizational structure and leadership to achieve these goals.
This action will also advance the Biden administration’s National Cybersecurity Strategy, which includes a high-level goal of shifting more security responsibility onto providers of tech products and services.
“By using software from producers that use sound secure development practices, the Federal government not only protects its vital information systems, but also helps ensure that the government runs on software made by companies that prioritize and focus on these critical practices,” DeRusha and Goldstein concluded. “Through continued collaborative efforts by both the Federal government and the private sector, we will foster a more secure cyberspace.”
