OMB, CISA set to release common form for software self-attestation
OMB and CISA officials plan to issue a common standard for software vendors to attest to the security of their products, possibly this week. Yuichiro Chino / Getty Images
By
Chris Riotta
Federal CISO Chris DeRusha said the new standardized approach to collecting self-attestation forms from third-party software providers could be released as early as this week.
The Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency are set to release a common form in the coming days that will serve as a standard for software vendors to attest to the security of their products to federal agency customers, a White House official said on Tuesday.
Chris DeRusha, federal chief information security officer for OMB, said the White House is aiming to release a "common attestation form for secure software development practices" as early as this week to ensure federal agencies are procuring and implementing third-party information technology software that complies with the National Institute of Standards and Technology standard Secure Software Development Framework. DeRusha spoke alongside Federal Chief Information Officer Clare Martorana at an event hosted by the Alliance for Digital Innovation in San Francisco.
The expected release of the common form comes after the Biden administration issued an executive order on improving the nation's cybersecurity in 2021 and a follow-up OMB memo later that year requiring federal agencies to obtain self-attestation forms from software vendors.
DeRusha described the forthcoming standardized form as "rubber meeting the road," adding that his agency and CISA "will test it with the world and see if we got it right" then use agile and continuous development methods to make any necessary modifications.
Some acquisition officials have expressed concerns over a September deadline the White House implemented for agencies to begin collecting the self-attestation forms.
Joanne Woytek, program manager of NASA's Solutions for Enterprise Wide Procurement contract, said at a summit in January that requiring software vendors to confirm their compliance with security standards is "not as simple as it sounds."
"I don’t know what’s going to happen by September,” she said. "We’re either going to find some magic wand that makes it happen, or we’re going to have some discussions with the [Office of Management and Budget] and figure out when this can happen.”
The White House says it's implementing the new self-attestation forms to leverage federal procurement powers in a sweeping effort to secure the software supply chain. Other security experts have supported the administration's push to integrate self-attestation forms across federal agencies.
Eric Baize, vice president of product and application security at Dell Technologies, previously told FCW that requiring a standardized approach to secure software development allows the federal government to "better mitigate risk and help reduce the number of vulnerabilities released in software."
Federal agencies have until June to officially begin collecting self-attestation forms from "critical software providers," and until Sept. 14 to collect the forms from all third-party software providers on their networks.