The US federal government has released a software attestation form intended to ensure that software producers partnering with the government leverage minimum secure development techniques and tool sets.
The form was announced March 11 by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which developed the form with the Office of Management and Budget (OMB). The form identifies minimum secure software development requirements a software producer must meet and attest to meeting. Software requires attestation if it was developed after September 14, 2022. Software developed prior to this date requires attestation if it was modified by major version changes after September 14, 2022. Attestation also is required if the producer delivers constant changes to the code.
Those seeking attestation must vow that the software was developed and built in secure environments. Environments are to have been secured by actions such as enforcement of multifactor authentication and conditional access across the environments relevant to developing and building software in a manner that minimizes security risk.
Software developed by federal agencies does not require self-attestation. Neither does open source software freely and directly obtained by a federal agency, third-party open source and proprietary components incorporated into the software, or software that is freely obtained and publicly available. CISA’s repository for online form submission is expected to be available in late-March, providing a window to ensure relevant software providers have the necessary time to understand the form’s content and requirements.