Process to Verify Software Was Built Securely Begins Today
Starting June 11 — today — US government contractors providing software that is considered part of the critical infrastructure will need fill out a form asserting that their software followed secure-by-design principles and that each component within was under their scrutiny in the form of software bills of material (SBOMs). The Cybersecurity and Infrastructure Agency’s (CISA) published the Secure Software Development Attestation Form back in March. A recent study at RSA Conference by supply chain security management company Lineaje suggested that many vendors are not ready.
When asked whether they were prepared to meet the deadline for federal cybersecurity attestation, only about 20% of the respondents said they were, Lineaje said. Even worse, only 16% said their company had incorporated SBOMs into software development, a key part of compliance.
In May 2021, after widely publicized incidents such as the SolarWinds saga and the Log4j exploit, US President Joe Biden put government contractors on notice that they needed to start meeting tougher standards for cybersecurity practices. Biden’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) set a roadmap for making the US government more secure by making its systems, and all the software on them, traceable and auditable.
That resulted in the Secure Software Development Attestation Form, in which the CEO or authorized designee swears that their company “presently makes consistent use of the following practices, derived from the secure software development framework (SSDF),” including “maintaining provenance” of all components and instituting a vulnerability reporting system. The form is available for download as a fillable PDF or as an online form through the Repository for Software Attestations and Artifacts portal.
For all other software — those not deemed critical — vendors don’t have to start with self-attestation until Sept. 11.