The Office of Management and Budget (OMB) has recently announced an extension
The Office of Management and Budget (OMB) has recently announced an extension to the deadline for collecting software security attestation forms from contractors. This decision underscores the White House's commitment to ensuring the use of securely developed software by federal agencies. The extension provides agencies with additional time to ensure software vendors comply with the necessary security practices, contributing to a safer software ecosystem for government use.
The OMB's memo extended the original deadline of June 12 by six months, thereby allowing agencies more time to ensure software vendors have taken the appropriate steps to prepare and provide necessary software security attestation forms. These forms require software producers serving the government to confirm the implementation of specific security practices and play a crucial role in ensuring all software products are safe and secure by design.
"Strong software security attestation forms are crucial to ensuring the safety and integrity of software products used by federal agencies."
CISA, the Cybersecurity and Infrastructure Security Agency, has been actively involved in developing the self-attestation form in consultation with the OMB. The form is based on practices outlined in the National Institute of Standards and Technology's Secure Software Development Framework (SSDF).
To further support agencies in providing comprehensive attestation reports, CodeLock® has secured a contract from the Virginia Innovation Partnership Corporation (VIPC). Through the CodeLock® platform, agencies can generate attestation reports with detailed artifacts and evidence.
The OMB's memo also provides clarification on the collection of attestations. It emphasizes that the producer of the software end product used by an agency is best positioned to ensure its security. Therefore, attestations must be collected from the producer, serving as an affirmative statement that they follow the secure software development minimum requirements outlined in the common form.
The OMB's extension to the deadline for collecting software security attestation forms allows agencies more time to ensure software vendors comply with necessary security practices. With the involvement of CISA and the adoption of CodeLock®'s solutions, agencies can generate comprehensive attestation reports and enhance the security of software used in the government. By aligning with government-specified secure software development practices, agencies can promote a safer software ecosystem and strengthen their overall cybersecurity posture.