In March 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released the final version of its secure software development self-attestation common form (Form), requiring federal government contractors who produce and provide software to verify that it complies with government-specified, minimum secure software development practices. Nearly one year ago, CISA published a draft version of the Form requesting public comment. PilieroMazza discussed some of the key requirements and implications of the draft form here. Contractors who sell software to the government or produce software that is eventually sold to the government should understand how to complete the Form to ensure they meet potential contract award requirements.

Background

The Office of Management and Budget (OMB) released a memorandum on September 14, 2022, requiring agencies obtain self-attestations from software producers before using their software. These attestations would provide assurances that the software complies with a minimum set of secure software development practices (SSDF) as described in the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) (Special Publication 800–218). OMB then issued another memorandum on June 6, 2023, extending the deadline for agencies to collect these attestations as well as the scope of requirements from the September 14, 2022, memo. Attestations generally must be collected from producers of software end products used by an agency. As a result, and to the extent a software end product contains a third-party component, the producer of the end product will be attesting that the incorporated third-party component was produced in compliance with the SSDF practices.

What Software is Covered by the Form

Software broadly encompasses firmware, operating systems, applications, application services (e.g., cloud-based software), and products containing software. Attestations would be collected from producers of software used by the agency if that software was developed after September 14, 2022, or for software developed prior to September 14, 2022, if that software is used by a federal agency and is either modified by one or more major version changes after September 14, 2022, or is a hosted service that deploys continuous updates. For all software subject to these requirements, attestations must be collected within six months after March 8, 2024, so on or around September 8, 2024.

Attestations for critical software, on the other hand, will be required on an expedited basis. Critical software is defined as software dependent upon a component with at least one of the following attributes:

1. designed to run with elevated privileges or manage privileges;
2. has direct or privileged access to networking or computing resources;
3. is designed to control access to data or operational technology;
4. performs a function critical to trust; or
5. operates outside of normal trust boundaries with privileged access.

For critical software subject to the requirements of OMB’s above-mentioned memoranda, attestations must be collected no later than three months after March 8, 2024, or on or around June 8, 2024.

Notable Differences and Clarifications from Draft Form

1. Clarifying What Types of Software Do Not Require Attestations. In the draft form, only (i) software developed by federal agencies and (ii) software freely obtained (e.g., freeware, open source) directly by a federal agency were exempt from the Form’s requirements. Now, the Form was revised to clarify the following types of software do not require producers to complete the attestation:

a. software developed by federal agencies;
b. open-source software that is freely and directly obtained by a federal agency;
c. third-party open source and proprietary components incorporated into the software end product used by the agency; or
d. software freely obtained and publicly available.

2. Providing a Third-Party Assessment Instead of Signing the Form. A new option for software producers is to provide a third-party assessment demonstrating conformance with the minimum requirements. The assessment must be completed by a Third-Party Assessor Organization (3PAO) that was FedRAMP certified or approved in writing by an appropriate agency official. To take advantage of this option, the software producer must check the appropriate box in Section III of the Form and attach the assessment to the form prior to uploading it to CISA’s repository.

Obtaining these forms is extremely important for agencies that cannot use the relevant software until a signed form is completed and uploaded by the software producer. Offerors should submit the Form online via the following link. If unable to submit electronically, the Form contains mailing instructions.

As we await implementation of this requirement into the Federal Acquisition Regulation, contractors who produce or provide software to agencies should carefully review solicitations where the Form could be attached and required as a pre-condition of contract award. Obtaining the software producer’s signature could take longer than initially expected. Alternatively, and hopefully, to the benefit of many, the Form provides contractors with the ability to provide a third-party assessment instead, which, under some circumstances, could be a quicker and more readily available option.