A secure software development attestation form has been approved by the Federal Government in an attempt to ensure that contracted developers of software assume responsibility for the security risks in the protection of federal information. The form was released by the Cybersecurity and Infrastructure Security Agency (CISA) Office of Management and Budget (OMB) on April 1, 2024.
This release follows Executive Order 14028 which the Biden administration enacted following the Sunburst supply chain attack of 2021 that effected government, telecom, consulting, and technology organizations world wide. Following this Memo 22-18 stipulated that federal agencies must receive attestation from their software providers. The term software includes firmware, operating systems, and applications.
Required Information in the Form
The Secure Software Development Attestation Form requires the producer to provide a description of the software and the organization. This form must be signed by the CEO or their designee. This signing attests that the software meets the requirements of M-22-18.
The form must be submitted for any software developed or significantly upgraded after September 14, 2022. Failure to provide information may result in loss of contract. If an agency cannot obtain this attestation the agency may still use the software if producer identifies practices not in place and submits a Plan of Actions and Milestones (POA&M) to address these issues.
Extant Software Development Requirements
NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, is a requirement for organizations involved in contracts with federal agencies to ensure that their supply chains adequately protect controlled information. These requirements include secure coding and manufacturing practices.
Additionally, the Department of Defense (DoD) is requiring all suppliers to perform a NIST SP 800-171, and ISMS implementation as a contractual requirement. This will also include Cybersecurity Maturity Model Certification 2.0 (CMMC) which is expected to be a requirement by 2026.
CVG Strategy Information Security Management System Consultants
An increasing number of businesses are finding that they are required to meet challenging information security levels to meet the requirements of conducting business with governmental agencies. To assist businesses to meet the challenges in adopting a variety of NIST and CMMC 2.0 requirements, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.
It involves processes, facility security, people, and IT systems to engage in best practices. It also involves a constant improvement approach so that threats can be continually assessed and addressed as they evolve. This business system can help your organization remain vigilant against economic espionage and cyberattacks conducted by China and other nation states.
We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.