The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) recently published a draft version of a Secure Software Development Attestation Common Form. The draft Common Form is designed to confirm that software producers (i.e., the manufacturers/developers of software products) have followed minimum secure software development practices in compliance with guidance created by the National Institutes of Standards and Technology (NIST). Such affirmation was mandated by a White House Office of Management and Budget (OMB) memorandum issued September 14, 2022, as a prerequisite to acquisition of software by federal agencies. Interested parties have until June 26, 2023 to comment on the draft form.
As we have previously advised, the purpose of the self-attestation form is to enhance the security of the nation’s software supply chain, which has been proven vulnerable by incidents like the Colonial Pipeline and Solar Winds attacks. The Common Form marks one step towards increased transparency, stability, and security of the software acquired by the federal government, consistent with President Biden’s Executive Order 14028, Improving the Nation’s Cybersecurity.
What Does the Common Form Entail?
The Common Form is composed of three sections. Section I requires a list of the software to which the attestation applies, including software product name, version number, and release/publish date. Section II collects information about the software producer (name, address, etc.) and the responsible primary contact. Section III requires a signed attestation by the Chief Executive Officer or delegate that affirms the producer complied with the standards and best practices established in NIST Special Publication (SP) 800-218, “Secure Software Development Framework” (SSDF).
Specifically, the form requires producers to attest:
- The software is developed and built in secure environments;
- The software producer made a good-faith effort to maintain trusted source code supply chains;
- The software producer maintains provenance data for internal and third-party source code incorporated into the software; and
- The software producer employs automated tools or comparable processes that check for security vulnerabilities.
Agencies may also include additional requirements, such as a request for a Software Bill of Materials (SBOM) or other artifacts or documentation. Agencies may require such additional documentation or artifacts be either attached to the Common Form or maintained and updated at another agency-designated location online. It is anticipated that the Common Form will be a fillable PDF that will be submitted electronically by the software producer to CISA.
What Software Is Covered by the Attestation Requirement?
The Common Form covers three categories of software, based on its development date. A Common Form attestation is required for all software developed after September 14, 2022, in order to sell to the federal government. The Common Form is also required for existing software modified after September 14, 2022 with major version changes (e.g., using a semantic versioning schema of Major.Minor.Patch, the software version number goes from 2.5 to 3.0). Finally, the Common Form is required for software for which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).
Software freely obtained directly by a federal agency (e.g., freeware or open-source software) and software developed internally by federal agencies require no attestation. However, open-source elements incorporated by software producers into a software deliverable must be part of the software producer’s attestation.
If the relevant software has been verified by a certified FedRAMP third-party assessor organization (3PAO) or other 3PAO approved in writing by an appropriate agency official in accordance with relevant NIST guidance, the software producer does not need to submit an attestation, but must provide relevant documentation from the 3PAO instead.
If it cannot fully attest to compliance with the SSDF, a software producer must provide documentation identifying the practice(s) to which it cannot attest. The purchasing agency then must document the practices the agency has in place to mitigate resulting risks and require a plan of actions and milestones (POAM) from the software producer to address compliance gaps.
What Is the Estimated Burden?
DHS estimates the total opportunity costs to all software producers of completion of the Common Forms will be $923,623 annually, based on BLS labor rates and the following estimates. DHS anticipates receiving 2,689 initial form submissions and 1,345 resubmissions of the form—due to major software changes—per year. Each initial submission will impose a three-hour burden on a quality assurance analyst or tester to understand requirements and the gather information. Additionally, DHS estimates a Chief Information Security Officer (CISO) will require 20 minutes to review, and approve, the release of information in each initial submission.
DHS assumes that half of initial submissions will result in resubmission for a major software change or update. Each resubmission DHS estimates will require a software quality assurance analyst or tester an additional hour and 30 minutes to complete and a CISO 20 minutes to review. Failure to ensure the accuracy of the attestation may result in a far greater burden, including potential False Claims Act liability and suspension or debarment.
Next Steps for Software Producers
Affected software producers, as well as resellers of software products, systems integrators, and other affected parties, are encouraged to submit comments on the draft Common Form, the information requested therein, and the feasibility of the attestation. DHS and CISA are particularly interested in comments regarding the practical utility of the proposed information collection: whether DHS accurately estimated the burden on the producers, and ways DHS might enhance the quality, utility, and clarity of the information collected. The practicality of the attestation’s application to open-source components of software products may be particularly ripe for comment.
Once the Common Form is required, software producers should bear in mind that completion of the form is mandatory and that failure to provide any of the information requested may result in the inability to sell the software to the federal government. Further, providing false or misleading information may constitute a violation of the criminal False Statements Act or could result in a violation of the False Claims Act in connection with a sale.