Executive Order (EO14028) on Cybersecurity was signed in 2021 to improve the security of software used by the federal government. The order states that “contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with” specific security requirements, including “conformity with secure software development practices” and ensuring “the integrity and provenance of open-source software used within any portion of a product.”
To implement this, CISO and OMB released a Secure Software Development Attestation Form for software producers on March 11, 2024. CISA went live with its “Repository for Software Attestation and Artifacts.”
Among other things, the Form requires “the Chief Executive Officer (CEO) of the software producer or their designee, who must be an employee of the software producer and have the authority to bind the corporation” to attest to the existence of specific controls summarized below:
(1) The software is developed and built in secure environments (including environment segregation, regular logging, monitoring, and auditing of trust relationships used for authorization and access, MFA and conditional access, continuous monitoring of operations and alerts, etc.).
(2) The software producer makes a “good faith” effort to maintain trusted source code supply chains by employing automated tools or comparable processes to address the security of internal code and third-party components and manage related vulnerabilities.
(3) The software producer maintains provenance for internal code and third-party components incorporated into the software to the greatest extent feasible.
(4) The software producer employed automated tools or comparable processes that check for security vulnerabilities.
The form also requires the software producer to attest that “it will notify any agency to which it has submitted this form if and when the producer ceases to make consistent use of the practices identified above in developing the software.”
Because the attestor is generally not required to provide any evidence or detail to support this attestation, it may be tempting for some software producers to attest without validating that they are meeting these requirements. The form clarifies that “willfully providing false or misleading information may constitute a violation of 18 U.S.C. § 1001, a criminal statute.” The DOJ prosecutes Section 1001 violations so if you must fill out this attestation but cannot do so truthfully, it’s best to discuss your options with competent counsel to be sure you are not committing a federal crime.
While this is currently only for the Federal Government, we have seen in the past that eventually states will adopt this type of requirement and it may also flow down to the private sector.
Find your perfect cybersecurity solution.
Foresite Cybersecurity offers a variety of solutions to help organizations find gaps, manage risk, and stay secure.
