RGCI - Draft Self-Attestation Form for Software Producers Available for Comment by June 26, 2023

On April 27, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) of The Department of Homeland Security (DHS) published a draft Secure Software Development Attestation Form. Software producers that sell to the government will be required to complete the self-attestation form to attest that the software they produce was developed in conformity with specified secure development practices.

CISA issued a 60 day Request for Comment to solicit public feedback on the draft self-attestation form. Comments will be accepted through June 26, 2023. Redstone recommends software producers review the self-attestation form and provide comments before the deadline.

The self-attestation form was developed as a result of The Office of Management and Budget (OMB) Memorandum M-22-18 issued on September 14, 2022, requiring Federal agencies that purchase software to comply with additional NIST requirements. (see our Blog OMB Issues New Cyber Security Requirements for Federal Agencies that Impacts Companies that Sell Software to the Government).

The following software will require self-attestation:

  • Software developed after September 14, 2022
  • Existing software that is modified by major version changes after September 14, 2022 (e.g., software version goes from 2.5 to 3.0)
  • Software where the producer delivers continuous changes to the software code (e.g., software-as-a-service products or products using continuous delivery/continuous deployment)

Software producers who utilize freely obtained elements (e.g., freeware, open source) in their software are required to attest that they have taken steps to minimize the risk of relying on the software in their products.

The draft self-attestation form requires software producers to attest:

  • Software is developed and built in secure environments
  • They have made a good-faith effort to maintain trusted source code supply chains
  • They maintain provenance data for internal and third-party source code incorporated into the software and
  • They employ automated tools or comparable processes that check for security vulnerabilities

After completing the self-attestation form, the government may request additional information or documentation such as a Software Bill of Material or documentation from a third-party assessor.

Completion of the form is not required if the software has been verified by a certified FedRAMP third party assessor organization (4PAO) or other 3PAO approved in writing by an agency official. However, the documentation from the 3PAO is required.

CISA has not modified the deadlines in the OMB memorandum requiring attestations by June 12, 2023, for critical software and September 14, 2023, for all other software. We believe the deadlines will have to be extended since CISA is accepting comments on the draft form through June 26, 2023.

Redstone recommends that software producers selling to the government review the specific controls that are included in the self-attestation form to ensure they are complying with them, or whether they need to implement additional controls before being required to complete the self-attestation form.

Once the form is required, it will be a mandatory form for software producers to complete. Failure to provide the completed form or information requested could result in the inability to sell software to the federal government.

Redstone GCI can provide our clients information and guidance in working with established industry leading partners who can assist in fulfilling cybersecurity compliance requirements. Redstone GCI assists contractors throughout the U.S. and internationally with understanding the Government’s expectations and supporting contractors from contract award to contract closeout. We would be happy to be part of your team.

Contact Us for a Consultation

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: DFARS Business Systems, Contractor Purchasing System Review (CPSR), Cybersecurity