The Secure Software Development Attestation Form went into effect last week. This new attestation form, from the Cybersecurity and Infrastructure Security Agency (CISA), will be required for all US government contractors that provide software supporting critical infrastructure needs.
The form requires US government contractors that support critical infrastructure to confirm that they followed secure-by-design principles in developing software and that they produced an SBOM (Software Bill of Materials) covering each component within it.
In this blog post, we explore how SBOMs and connected device security play pivotal roles in meeting these requirements and enhancing overall software supply chain security.
The Self-Attestation Form, guided by Executive Order 14028 and subsequent OMB Memoranda, is a critical document that software producers must complete to certify their adherence to secure-by-design (SBD) software development practices. This form ensures that software used by federal agencies complies with the Secure Software Development Framework (SSDF) established by the National Institute of Standards and Technology (NIST). Key requirements include:
The Self-Attestation Form must be completed by any software producer whose products are used by federal agencies. This includes:
Federal agencies will no longer utilize software from producers who fail to provide the required attestation, making this form an essential compliance measure for any software vendor aiming to serve the federal market.
Certain categories of software are exempt from the requirements of the Self-Attestation Form. These exemptions include:
These exemptions ensure that the attestation requirements are focused on commercial software products and components, providing clarity for software producers on when the form is necessary.
A Software Bill of Materials (SBOM) is a comprehensive inventory of all components, libraries, and modules included in a software product. SBOMs provide transparency and traceability, enabling organizations to identify and manage vulnerabilities effectively. Here’s how SBOMs contribute to the objectives of the Self-Attestation Form:
SBOMs offer a detailed view of all software components, including third-party libraries and dependencies. This transparency helps software producers and federal agencies understand the composition of their software, making it easier to identify and mitigate potential risks.
With an SBOM, organizations can quickly identify which components are affected by newly discovered vulnerabilities. This proactive approach to vulnerability management aligns with the requirement to employ automated tools for continuous security monitoring and vulnerability checking, as specified in the Self-Attestation Form.
SBOMs facilitate the verification of the integrity and security of software components sourced from third parties. By maintaining a trusted source code supply chain, organizations can ensure that all components meet the necessary security standards, reducing the risk of supply chain attacks.
Connected devices, often part of the Internet of Things (IoT), introduce additional complexities to software security. Ensuring the security of these devices is crucial for comprehensive software supply chain security. Here’s how focusing on connected device security complements the Self-Attestation Form’s requirements:
Developing software for connected devices in secure environments is critically important. This involves segregating development environments, enforcing multi-factor authentication, and regularly auditing access and authorization processes. These practices minimize the risk of unauthorized access and potential security breaches.
Connected devices require continuous monitoring for unusual activity or potential security threats. Implementing robust monitoring and incident response mechanisms ensures that any detected vulnerabilities or attacks are promptly addressed, maintaining the integrity of the software supply chain.
Connected devices must comply with industry security standards and best practices. Ensuring that these devices meet the same stringent security requirements as software components helps maintain a unified approach to security across the entire software supply chain.
CISA's recent Secure by Design initiative further underscores the importance of integrating security from the ground up in software development. This initiative emphasizes that security should not be an afterthought but a foundational aspect of software creation. The principles of Secure by Design align seamlessly with the requirements of the Self-Attestation Form, advocating for:
By adopting the Secure by Design principles, software producers can ensure their products not only meet federal requirements but also set a higher standard for security in the industry. This proactive stance is essential for building resilient software systems that can withstand evolving cyber threats.
The Self-Attestation Form from CISA represents a significant step towards enhancing the security of software used by federal agencies. By leveraging SBOMs, focusing on connected device security, and embracing the principles of CISA's Secure by Design initiative, organizations can meet these stringent requirements and contribute to a more secure software supply chain. As the cybersecurity landscape continues to evolve, adopting these practices will be essential for safeguarding sensitive information and maintaining the trust of federal agencies and the public.
For more information on how Finite State can assist in navigating these requirements and implementing robust security measures, contact us today.