Cyber

CISA issues draft attestation form for government software providers

Industry vendors have until June 26 to comment on the provisional document.

April 28, 2023

Close-up Of Hand Holding Pen Over Survey Form. (Image credit: Getty Images)

The Cybersecurity and Infrastructure Security Agency on Thursday published a draft attestation form for software providers working with federal government agencies.

The agency launched a 60-day request for comment period, during which industry is able to submit feedback on the document.

The new form was developed in collaboration with the White House and is based on practices established in the National Institute of Standards and Technology’s Secure Software Development Framework.

Software providers working with federal government agencies will shortly have to start signing the letters of attestation. The documents will be then collected by each department and held “in one central agency system” until CISA establishes a central repository.

Publication of the draft attestation letter format comes after the White House in a software supply chain memo issued last September set out new requirements for federal agencies to ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements.

As part of this, they will have to ensure that attestation forms are collected from software contractors they work with.

That memo is one of several policy initiatives from the White House intended to improve cybersecurity standards across federal agencies.

In March, the Biden administration published a new national cybersecurity strategy, which sought to shift the responsibility for maintaining the security of computer systems away from consumers and small businesses onto larger software makers.

The White House strategy document planted a major flag in this debate on the side of those who would like to expose software makers to face liability. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers,” the strategy document argued.

Editor’s note, 5/1/23, 1:30 p.m. ET: This article was updated to clarify that government agencies will hold software providers’ letters of attestation on an interim basis while CISA creates a central repository for the documents.

CISA issues draft attestation form for government software providers

More Like This

Federal cyber leaders proceed with caution on AI as a defensive tool

Department of Education begins market research for cloud capabilities

House bill calls on CISA to form AI task force

Top Stories

DeRusha stepping down from federal CISO role

White House procurement office releases data circular as it celebrates 50th anniversary

NIST issues final guidance update for protecting sensitive information

NASA has a new chief AI officer

NSF is piloting an AI chatbot to connect people with grants

USDS impact report showcases ‘a year of launching things’

Nuclear Regulatory Commission staff recommends AI framework, identifies potential use cases

More Scoops

The CAIO’s role in driving AI success across the federal government

Cybersecurity executive order requirements are nearly complete, GAO says

CISA, OMB release secure software development attestation form

CISA establishing new office focused on zero trust

On some basic metadata practices, US government gets an ‘F,’ per new online tracker

CISA seeking comments on its ‘secure by design’ guidance

Only 3 agencies have hit deadline for cyber event logging standards, GAO finds

Latest Podcasts

CISA issues draft attestation form for government software providers

How NASA is embracing AI to advance mission-critical efforts

Former U.S. Deputy CTO Nick Sinai joins the podcast

Nutanix’s Jason Langone on the best way to get an easy win with AI

Tech

Defense

Cyber

FedScoop TV