Finite State Blog

SBOMs,Connected Device Security & CISA's Secure Software Attestation

Written by Finite State Team | Jun 18, 2024 8:06:32 PM

The Secure Software Development Attestation Form went into effect last week. This new attestation form, from the Cybersecurity and Infrastructure Security Agency (CISA), will be required for all US government contractors that provide software supporting critical infrastructure needs. 

The form requires US government contractors that support critical infrastructure to confirm that they followed secure-by-design principles in developing software and that they produced an SBOM (Software Bill of Materials) covering each component within it.

In this blog post, we explore how SBOMs and connected device security play pivotal roles in meeting these requirements and enhancing overall software supply chain security.

Understanding the Self-Attestation Form

The Self-Attestation Form, guided by Executive Order 14028 and subsequent OMB Memoranda, is a critical document that software producers must complete to certify their adherence to secure-by-design (SBD) software development practices. This form ensures that software used by federal agencies complies with the Secure Software Development Framework (SSDF) established by the National Institute of Standards and Technology (NIST). Key requirements include:

  • Developing software in secure environments.
  • Maintaining trusted source code supply chains.
  • Regularly checking for security vulnerabilities.
  • Documenting the provenance of internal code and third-party components.

Who Must Use the Form?

The Self-Attestation Form must be completed by any software producer whose products are used by federal agencies. This includes:

  1. Software developed after September 14, 2022.
  2. Software developed before September 14, 2022, but modified by major version changes after this date.
  3. Software delivered through continuous updates, such as software-as-a-service (SaaS) products.

Federal agencies will no longer utilize software from producers who fail to provide the required attestation, making this form an essential compliance measure for any software vendor aiming to serve the federal market.

Exemptions

Certain categories of software are exempt from the requirements of the Self-Attestation Form. These exemptions include:

  1. Software developed by federal agencies.
  2. Open-source software that is freely and directly obtained by a federal agency.
  3. Third-party open source and proprietary components that are incorporated into the software end product used by the agency.
  4. Software that is freely obtained and publicly available.

These exemptions ensure that the attestation requirements are focused on commercial software products and components, providing clarity for software producers on when the form is necessary.

The Role of SBOMs

A Software Bill of Materials (SBOM) is a comprehensive inventory of all components, libraries, and modules included in a software product. SBOMs provide transparency and traceability, enabling organizations to identify and manage vulnerabilities effectively. Here’s how SBOMs contribute to the objectives of the Self-Attestation Form:

1. Enhanced Transparency and Accountability

SBOMs offer a detailed view of all software components, including third-party libraries and dependencies. This transparency helps software producers and federal agencies understand the composition of their software, making it easier to identify and mitigate potential risks.

2. Improved Vulnerability Management

With an SBOM, organizations can quickly identify which components are affected by newly discovered vulnerabilities. This proactive approach to vulnerability management aligns with the requirement to employ automated tools for continuous security monitoring and vulnerability checking, as specified in the Self-Attestation Form.

3. Supply Chain Security

SBOMs facilitate the verification of the integrity and security of software components sourced from third parties. By maintaining a trusted source code supply chain, organizations can ensure that all components meet the necessary security standards, reducing the risk of supply chain attacks.

Strengthening Connected Device Security

Connected devices, often part of the Internet of Things (IoT), introduce additional complexities to software security. Ensuring the security of these devices is crucial for comprehensive software supply chain security. Here’s how focusing on connected device security complements the Self-Attestation Form’s requirements:

1. Secure Development Environments

Developing software for connected devices in secure environments is critically important. This involves segregating development environments, enforcing multi-factor authentication, and regularly auditing access and authorization processes. These practices minimize the risk of unauthorized access and potential security breaches.

2. Continuous Monitoring and Incident Response

Connected devices require continuous monitoring for unusual activity or potential security threats. Implementing robust monitoring and incident response mechanisms ensures that any detected vulnerabilities or attacks are promptly addressed, maintaining the integrity of the software supply chain.

3. Compliance with Security Standards

Connected devices must comply with industry security standards and best practices. Ensuring that these devices meet the same stringent security requirements as software components helps maintain a unified approach to security across the entire software supply chain.

CISA’s Secure by Design Initiative

CISA's recent Secure by Design initiative further underscores the importance of integrating security from the ground up in software development. This initiative emphasizes that security should not be an afterthought but a foundational aspect of software creation. The principles of Secure by Design align seamlessly with the requirements of the Self-Attestation Form, advocating for:

  • Proactive Security Measures: Implementing security controls during the development phase rather than reacting to threats post-deployment.
  • Comprehensive Risk Management: Continuously identifying and mitigating risks throughout the software lifecycle.
  • Collaboration and Transparency: Encouraging collaboration between developers, security professionals, and stakeholders to ensure a holistic security approach.

By adopting the Secure by Design principles, software producers can ensure their products not only meet federal requirements but also set a higher standard for security in the industry. This proactive stance is essential for building resilient software systems that can withstand evolving cyber threats.

Conclusion

The Self-Attestation Form from CISA represents a significant step towards enhancing the security of software used by federal agencies. By leveraging SBOMs, focusing on connected device security, and embracing the principles of CISA's Secure by Design initiative, organizations can meet these stringent requirements and contribute to a more secure software supply chain. As the cybersecurity landscape continues to evolve, adopting these practices will be essential for safeguarding sensitive information and maintaining the trust of federal agencies and the public.

For more information on how Finite State can assist in navigating these requirements and implementing robust security measures, contact us today.

References

  • Cybersecurity and Infrastructure Security Agency (CISA). (2024). Secure Software Development Attestation Form Instructions. Link to Document
  • National Institute of Standards and Technology (NIST). Secure Software Development Framework (SSDF). Link to SSDF