Secure Software Development Attestation

Background:

On May 12, 2021, the President issued Executive Order 14028 on Improving the Nation’s Cybersecurity (EO 14028). This executive order tasked agencies with enhancing cybersecurity through various initiatives including strengthening the security of the software supply chain.

In support of EO 14028, the Office of Management and Budget (OMB) issued policies M-22-18 and M-23-16, establishing requirements to protect federal systems from threats and vulnerabilities. These policies aim to reduce the risk of cyber-attacks, by ensuring the integrity of software through sound development practices, as recommended by NIST. According to these policies, federal agencies must only use software from producers who can attest to secure software development practices specified by the government.

The term “software” for purposes of memorandums M-22-18/M-23-16 includes firmware, operating systems, applications, and application services (e.g., cloud-based software), and products containing software, as follows:

  • Software developed after September 14, 2022
  • Software developed prior to September 14, 2022, but modified by a major version change after September 14, 2022
  • Software code where the producer delivers continuous changes (such as software-as-a-service products or other products using continuous delivery/continuous deployment)

The following categories are not in scope for M-22-18, as amended by M-23-16, and do not require a self-attestation:

  • Software developed by Federal agencies
  • Open-source software freely and directly obtained by a federal agency
  • Third-party open source and proprietary components incorporated into the software end product used by the agency
  • Software freely obtained and publicly available

Submitting Secure Development Software Attestation

Download the Secure Development Software Attestation Common Form:

https://www.doi.gov/media/document/doi-software-attestation-form

File Naming Convention:

  • Name attestation forms using the convention described in the Common Form (i.e., SoftwareProducer_ProductName_Version_AttestationDate)
  • For company-wide attestation or multiple products, omit the product name and version number from the file name.

Submission Instructions:

  • Do not submit the Secure Development Attestation Form to the Cybersecurity and Infrastructure Security Agency (CISA) Repository for Software Attestations and Artifacts (RSAA) 
  • Once the form is complete, submit it to sw-attestation@doi.gov.

Contact Information:

For any questions, contact sw-attestation@doi.gov.

References:

Was this page helpful?

Please provide a comment