NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE

Microsoft Azure customers gain access to NowSecure Mobile App Security and Privacy Testing for scalability, reliability, and agility of Azure to drive mobile appdev and shape business strategies.

Media Announcement
NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE Show More
magnifying glass icon

CISA & OMB Mandate Secure Development Attestation from Software Providers for U.S. Government

Posted by

Amy Schurr

Content Marketing Director
Amy Schurr is content marketing director for NowSecure. A former B2B journalist, she has spent her career covering technology and how it enables organizations.
CISA

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) and Office of Management and Budget (OMB) released a secure software development attestation form on March 11, 2024, in a long awaited followup to Executive Order (EO) 14028. EO 14028, “Improving the Nation’s Cybersecurity,” outlines the federal cybersecurity strategy to reduce software supply-chain risks. The OMB M-22-18 memo, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” and the M-23-16 update stipulate that federal agencies may use software only if the provider attests to following the NIST Secure Software Development Framework (SSDF)

Companies that make mobile apps used by the United States federal government have six months or less to attest that they follow standard secure development practices. The Biden administration initiative to bolster cybersecurity places the onus for verifying secure-by-design principles on CEOs or a designated leader that can legally bind the company. The mandate increases accountability for mobile application security and potentially enables the federal government to hold vendors liable for their secure software development practices. 

Organizations must complete the self attestation form for all releases or the federal government must stop using the software. The form will be required for software designated as “critical software” as soon as June 8, 2024, and for all commercial software after Sept. 8, 2024. 

“By ensuring our government uses software products from software producers that leverage best practices for secure development, we not only strengthen the security of the federal government, but drive improvements for customers across the globe,” wrote Chris DeRusha, federal CISO and deputy national cyber director and Eric Goldstein, executive assistant director for cybersecurity at CISA in a blog post. “We envision a software ecosystem where our partners in state and local government, as well as in the private sector, also seek these assurances and leverage software that is built to be secure by design.”

By ensuring our government uses software products from software producers that leverage best practices for secure development, we not only strengthen the security of the federal government, but drive improvements for customers across the globe. – Chris DeRusha, Federal CISO and Deputy National Cyber Director & Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA

Attestation Impact on Mobile AppSec & DevSecOps

The new CISA and OMB secure software development attestation form has several implications for mobile application security and mobile DevSecOps teams. 

What mobile apps does the requirement apply to? M-23-16 defines software as ‘firmware, operating systems, applications and application services (e.g., cloud-based software), as well as products containing software.’ This all-encompassing description certainly includes mobile apps as part of the digital ecosystem. NowSecure CEO Alan Snyder adds, “It is unclear if ‘free’ mobile apps that are not associated with any “for fee” capabilities are required to complete the attestation form, but given the intent of the process to improve federal cybersecurity, do you want to be the test case to find out?”

The self attestation requirements apply to all software developed or significantly modified after Sept. 14, 2022 with the exception of open-source software and software that federal agencies internally develop. In an important distinction, the software producer’s CEO or their designee will need to sign the form to file to the U.S. government. That person must be an employee of the software producer and have the authority to bind the corporation, escalating ownership of security outcomes to the highest levels of the company. 

Mobile app makers that supply the federal government should immediately ramp up on the secure software development attestation form requirements and review their secure development practices so they can sign off in confidence by the September deadline. 

The earlier June deadline applies for critical software. NIST defines critical software as that which has direct software dependencies on one more components with at least one of these attributes:

  • is designed to run with elevated privilege or manage privileges
  • has direct or privileged access to networking or computing resources
  • is designed to control access to data or operational technology 
  • performs a function critical to trust
  • operates outside of normal trust boundaries with privileged access.

CISA and OMB launched an online repository for the software attestation forms later this month though will also accept a PDF version of the new form. A summary of the secure software development stipulations is below and NowSecure highly recommends thorough review of the entire attestation form:

  • The software is developed and built in secure environments. 
  • The software producer makes a good effort to maintain trusted source code supply chains.
  • The software producer maintains provenance for internal code and third-party components to the greatest extent feasible.
  • The software producer employs automated tools or comparable processes that check for security vulnerabilities and operates these on an ongoing basis and prior to product, version or update releases.

How NowSecure Can Aid Attestation

Mobile app makers must use automated tools to check for vulnerabilities or equivalent processes. Because the attestation form is needed for every release, automation is the only real way to satisfy the requirements for mobile apps with a frequent release cycle. NowSecure Platform continuous automated mobile application security testing helps developers find and fix security and privacy bugs as they go. It also uncovers security issues found in third-party software components. 

NowSecure can help with the following attestation requirements for mobile apps:

  • 1d) Take consistent and reasonable steps to document and minimize use of software that creates undue risk.
  • 1e) Encrypt sensitive data.
  • 2) Address the security of third-party components and manage related vulnerabilities.
  • 3) Maintain provenance for internal code and third-party components as feasible.
  • 4a) Employ automated tools that check for security vulnerabilities on an ongoing basis prior to product, version or update releases.
  • 4b) Has a policy or process to address security vulnerabilities prior to release.

NowSecure software logs all analysis and remediation activities and generates a mobile app attestation form that demonstrates compliance with industry security standards. Partnering with NowSecure can help mobile app makers meet the federal cybersecurity standards and OMB mandates with confidence. Contact us for a NowSecure Platform demo to see the mobile AppSec testing solution in action.