Process to Verify Software Was Built Securely Begins Today

Starting June 11 — today — US government contractors providing software that is considered part of the critical infrastructure will need to fill out a form asserting that their software followed secure-by-design principles and that each component was under their scrutiny in the form of software bills of material (SBOMs). The Cybersecurity and Infrastructure Agency's (CISA) published the Secure Software Development Attestation Form back in March, though a recent study at RSA Conference by supply chain security management company Lineaje suggested that many vendors are not ready.

When asked whether they were prepared to meet the deadline for federal cybersecurity attestation, only about 20% of the respondents said they were, Lineaje said. Even worse, only 16% said their company had incorporated SBOMs into software development — a key part of compliance.

In May 2021, after widely publicized incidents such as the SolarWinds saga and the Log4j exploit, US President Joe Biden put government contractors on notice that they needed to start meeting tougher standards for cybersecurity practices. President Biden's Executive Order on Improving the Nation’s Cybersecurity (EO 14028) set a roadmap for making the US government more secure by making its systems, and all the software on them, traceable and auditable.

That resulted in the Secure Software Development Attestation Form, which a CEO or authorized designee must sign to swear that their company "presently makes consistent use of the following practices, derived from the secure software development framework (SSDF)," including "maintaining provenance" of all components and instituting a vulnerability reporting system. The form is available for download as a fillable PDF or as an online form through the Repository for Software Attestations and Artifacts portal.

For all other software — those not deemed critical — vendors don't have to start with self-attestation until Sept. 11.