Software Developments: CISA Finalizes Attestation Form, Triggering Secure Software Development Implementation
Client Alert | 2 min read | 03.21.24
On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.
Attestation Form Applicability and Content
The Attestation Form broadly requires software producers and suppliers of products containing software to affirm that their software development practices for in-scope software conform with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-218 and the NIST Software Supply Chain Security Guidance.
Per OMB M-22-18 and M-23-16, Attestation Forms will be required from producers of third-party software used by federal agencies if the software:
- is developed after September 14, 2023;
- is modified by major version changes after September 14, 2022; or
- is software to which the developer delivers continuous changes to the software code (e.g., software-as-a-service (SaaS) offerings or other products using continuous delivery/continuous deployment).
“Software” subject to attestation includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.
Attestation Deadline
M-23-16 explained that Attestation Form submissions would be due:
- for “critical software,”[1] no later than three months following OMB approval of the Attestation Form under the Paperwork Reduction Act (PRA), or
- for all other in-scope software, no later than six months following OMB PRA approval.
OMB apparently provided PRA approval on March 8, 2024, suggesting that the respective submission deadlines will fall three and six months after that date. Separately, CISA published the Attestation Form on March 11 but has yet to confirm the submission deadlines. Crowell continues to monitor updates from OMB and CISA, and we will update this alert when the Attestation Form submission deadlines are confirmed.
[1] As defined in OMB Memorandum M-21-30.
Contacts
Senior Counsel
She/Her/Hers
Insights
Client Alert | 6 min read | 05.02.24
DDTC Publishes Proposed ITAR Amendments to Enhance AUKUS Defense Trade
On May 1, 2024, the Department of State’s Directorate of Defense Trade Controls (DDTC) published a proposed rule that, if implemented, would streamline defense trade between and among Australia, the United Kingdom (UK), and the United States in furtherance of the trilateral security partnership (the “AUKUS” partnership). DDTC issued the proposed rule pursuant to new authorities and requirements contained in Section 1343 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2024 which, in part, directs the Department of State to immediately implement an International Traffic in Arms Regulations (ITAR) exemption, subject to certain statutory limitations, for the UK and Australia if State determines and certifies that each has implemented (1) a system of export controls comparable to those of the United States and (2) a comparable exemption from its export controls for the United States. According to DDTC, the proposed rule “prepare[s] for a future exemption” and solicits public feedback “to shape a final rule following any positive certification.”
Client Alert | 3 min read | 05.02.24
EEOC Publishes Final Rule Clarifying Critical Components of the Pregnant Workers Fairness Act
Client Alert | 2 min read | 05.02.24
False Claims Act Settlement Illustrates Value of Disclosure and Cooperation
Client Alert | 20 min read | 05.01.24
