On March 11, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) introduced a new form for secure software development attestations. After working closely with various industry groups, a standard form was released to make certain software companies working with the federal government use basic secure development methods and tools.
Why Was the Software Development Attestation Form Created?
The Secure Software Development Framework (SSDF) and the associated attestation process were developed to enhance the security of software used by the U.S. federal government. The SSDF is based on National Institute of Standards and Technology (NIST) standards which are defined in NIST Special Publication (SP) 800-218, “Secure Software Development Framework V1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities.” As a formal standard, it defines a set of best practices for software producers to follow as they protect the software supply chain from vulnerabilities and cyberattacks. By following these practices, software developers can reduce the number of security flaws in their software, limit the damage if any flaws are found, and fix the underlying issues to prevent future problems. The framework also provides a common language that software buyers and users can use to communicate with suppliers during purchasing and other business processes.
The need for this process arose from Executive Order 14028, issued by President Biden in 2021, which focused on improving the nation’s cybersecurity posture. In response to increasing cyber threats, the federal government recognized the importance of ensuring that software used within federal systems was developed using secure methods. The order emphasized the requirement for all software producers that provide services to the federal government to adopt secure software development practices.
What is the SSDF Attestation Process?
The attestation process is a formal way for software producers to declare that they adhere to these secure development practices. By filling out and submitting the Secure Software Development Attestation Form, producers of software utilized by federal government agencies verify that they comply with the SSDF guidelines. This form is a key component of the overall effort to reduce cyber risk in federal government systems by ensuring that all software meets rigorous security standards before implementation.
CISA, in collaboration with the OMB, developed the attestation form and outlined the submission processes. Producers can submit their attestations either via email or through the Repository for Software Attestations and Artifacts (RSAA), which provides a centralized platform for the submission and review of these attestations. The RSAA also allows for specific annotations and artifacts related to software development to be uploaded, giving agencies and producers a way to track and verify compliance.
How Do Organizations Complete the SSDF Attestation?
There are two mechanisms to complete the form:
First, The CEO or an authorized designee may sign the form to demonstrate to the best of their knowledge that the software producer makes consistent use of the practices described within NIST guidance and the SSDF. This represents a self-attestation and officers of the company and requires them to make an assertion related to the implementation of security requirements. As a result, inaccurate claims could lead to penalties associated with the False Claims Act (FCA), which is a federal law that protects the government from fraud and abuse by prohibiting individuals and entities from submitting false claims to the government. If executive officers of an organization wish to refrain from signing directly, or if a higher level of assurance is desired, the organization may engage with a third party to perform the assessment, which leads us to option two.
Alternatively, A certified FedRAMP Third Party Assessor Organization (3PAO) or other 3PAO approved in writing by an appropriate agency official may perform an assessment and the assessed entity provides that assessment report via the RSAA. This solution is ideal in a scenario where the organization is unsure as to the nature and extent of control implementation in the environment, or if a higher level of assurance is required since the opinions offered by the 3PAO will be backed by evidence collected during an assessment.
When an assessment is conducted by a 3PAO, the standards and best practices established in NIST Special Publication (SP) 800-218 are used as the basis for the assessment, and evidence associated with the following groups of controls are evaluated:
- “Prepare the Organization (PO): Organizations should ensure that their people, processes, and technology are prepared to perform secure software development.”
- “Protect the Software (PS): Organizations should protect all components of their software from tampering and unauthorized access.”
- “Produce Well-Secured Software (PW): Organizations should produce well-secured software with minimal security vulnerabilities in its releases.”
- “Respond to Vulnerabilities (RV): Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.”
How Can I Get Started with an SSDF Attestation Assessment?
The SSDF attestation process was designed to assist software producers in adopting and adhering to secure software development practices before their software is deployed in federal systems. By mandating a secure-by-design approach, the SSDF ensures that security is not an afterthought but an integral part of every stage of software development. This proactive approach helps to safeguard the government’s digital infrastructure from evolving cyber threats. Through this initiative, CISA is taking a major step towards creating a secure digital environment, not only for federal agencies but also for the broader U.S. population.
The first step in the process is to contact Linford & Company to discuss the nature of the software being developed by the organization, as well as the scope of the people, processes, and technologies involved in the software development lifecycle. Due to our status as a FedRAMP Authorized C3PAO, Linford and Company is able to provide your organization with SSDF attestation services. We look forward to guiding you through an SSDF attestation assessment, or any additional audit services you may require.
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, CCSFP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.