The Cybersecurity and Infrastructure Security Agency (CISA) on March 11th finalized the Attestation Letter for software vendors, marking a significant step towards addressing software security across federal systems.

Software producers must furnish Attestation letters to CISA (https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form) and linked SBOMs to agencies using their software. The clock starts with the final approved release of the CISA Attestation form yesterday.

Expected date for critical software vendors to adhere: June 11, 2024

Expected date for all software vendors to adhere: September 11, 2024

What Does This Mean for Software Vendors?

For software vendors engaging with Federal Government Agencies, the finalized CISA Attestation Letter carries immense significance. It serves as a formal declaration of adherence to critical security requirements outlined in the Executive Order 14028 Section 4(e) which is mapped to the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF, NIST SP 800–218).

Among these requirements are the following key aspects:

1. Build System Integrity: Vendors must ensure the integrity of their build systems, guaranteeing that software is developed and maintained in a secure environment.
2. Trusted Supply Chain: Maintaining a trusted supply chain is essential, ensuring that all components and dependencies used in software development come from reliable and verified sources.
3. Provenance Data Maintenance: Vendors are required to maintain detailed provenance data, tracking the origin and history of software components throughout the development lifecycle.
4. Vulnerability Management: Effective vulnerability management practices are crucial, including timely identification, assessment, and mitigation of security vulnerabilities within software products.

SBOM360 Hub, from Lineaje, is designed to help Software publishers to meet these requirements.

• Create, publish and privately share NTIA compliant SBOMs for each product and SKU Software Producers sell.
• Generate the CISA Attestation form with the evidentiary artifacts so Software Producers can attest with confidence that they meet the compliance requirements.

Additional Software Vendor Requirements:

• CEO Signature: The form must be signed by the Chief Executive Officer (CEO) of the software producer or their designee, who must have the authority to bind the corporation. By signing, they attest that the software is developed in conformity with secure software development practices outlined above.
• Third-Party Assessment: Software producers can demonstrate compliance with minimum requirements by submitting a third-party assessment conducted by a Third-Party Assessor Organization (3PAO) that has been FedRAMP certified.
• POAM If Vendor Cannot Attest: If a vendor is unable to meet the requirements outlined in the Attestation Letter, the agency may still opt to utilize the software under certain conditions. In such cases, if the vendor identifies specific practices that they are unable to attest to, they must document their mitigation strategies and submit a comprehensive Plan of Actions and Milestones (POA&M) to the agency.

These requirements ensure that software producers provide accurate information about their software and attest to its secure development practices, aligning with federal government cybersecurity objectives outlined in Executive Order 14028 and related directives like OMB M-22–18 and M-23–16.

Conclusion

The finalization of the CISA Attestation Letter marks a significant milestone in the ongoing efforts to fortify software security within Federal Government Agencies. By requiring vendors to attest to critical security requirements outlined in the NIST SSDF, CISA is ensuring that software deployed across federal systems adheres to robust security standards.

At Lineaje we automate the CISA Attestation Letter, along with evidence collection to attest with confidence. Come check out what we can do at www.lineaje.com