June 12, 2024 at 03:30PM
Starting June 11, US government contractors must submit a Secure Software Development Attestation Form, confirming adherence to secure-by-design principles and scrutiny of software components through software bills of material (SBOMs). Only 20% of respondents are prepared for this federal cybersecurity attestation, with 16% incorporating SBOMs into their software development. Other software vendors have until Sept. 11 for self-attestation.
Based on the meeting notes, the key takeaways are:
1. Starting June 11, US government contractors providing software deemed part of critical infrastructure need to submit a form attesting that their software follows secure-by-design principles and that each component was under their scrutiny in the form of software bills of material (SBOMs).
2. The Cybersecurity and Infrastructure Agency (CISA) published the Secure Software Development Attestation Form in March, and a recent study at RSA Conference suggested that many vendors are not ready to meet the deadline for federal cybersecurity attestation.
3. Only about 20% of the respondents are prepared to meet the deadline, and just 16% have incorporated SBOMs into their software development, which is a key part of compliance.
4. President Biden’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) set a roadmap for making the US government systems and all the software on them traceable and auditable, resulting in the Secure Software Development Attestation Form that CEOs or authorized designees must sign.
5. The form is available for download as a fillable PDF or as an online form through the Repository for Software Attestations and Artifacts portal.
6. For all other software not deemed critical, vendors don’t have to start with self-attestation until September 11.