RGCI - OMB Extends Deadline for Software Supply Chain Security to Submit Attestation Forms

On June 9, 2023, the Office of Management and Budget (OMB) issued M-23-16, Update to Memorandum M-22-18, providing an extension to the deadline for software developers to submit attestation forms to Federal agencies.

The original deadline was June 12, 2023, for critical software and September 14, 2023, for other software. However, on April 27, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft Secure Software Development Attestation Form and requested comments by June 26, 2023, from the public (see our Blog – Draft Self-Attestation Form for Software Producers Available for Comment by June 26, 2023).

Since the attestation form was still in draft form, OMB’s extended the deadline and provided other clarifications as follows:

Deadline Extension

Software producers must submit the Attestation form (referred to as the common form) to Federal agencies three months after the release of the final attestation form for critical software and six months after the release of all other software. OMB did not provide an estimated date for the issuance of the final form.

Third-Party Components

Software producers of third-party software components do not need to complete an attestation form. OMB clarified that the attestation must be prepared and submitted by the producer of the software end product because they are in the best position to ensure security. Therefore, software producers need to ensure they are addressing the security of third-party components incorporated into their software end product.

Freely Obtained and Publicly Available Proprietary Software

Attestation forms are not required from software producers for proprietary products but are freely obtained and publicly available. This includes software applications, such as web browsers which are offered to members of the public at no cost.

Federal Contractor Developed Software

Although the guidance states that Agency-developed software under a Federal contract does not require an attestation, it depends. If a contracting agency is unable to ensure that secure software development practices are followed through the entire software development lifecycle (i.e., requirements, design, development, testing, deployment, and maintenance), an attestation form may be required.  Agency Chief Information Officers (CIOs) will make the determination. Federal agencies may request an attestation form for software developed under a Federal contract based on the CIO’s determination.

Guidance on the Use of Plans of Action and Milestones (POA&Ms)

This guidance has not really changed from the original OMB memorandum. The good news is that an agency may still use the software if the producer:

  • Identifies the practices to which they cannot attest
  • Documents practices in place to mitigate associated risks and
  • Submits a satisfactory POA&M to an agency.

Agencies can work with software producers who do not meet the minimum requirements if the agency finds the documentation, including the POA&M is in place and satisfactory. If the agency finds a software producer’s documentation is unsatisfactory, the OMB guidance states the agency must discontinue the use of the software.

Redstone recommends software producers be on the lookout for the final Attestation Form since an estimated issuance date was not provided. In the meantime, companies should review the “draft” attestation form to gain an understanding of the specific controls that software producers must comply with, including software in third-party components used in its end product. Contractors should also determine if the software they provide is considered critical or not. The time difference for submitting the attestation form is three months if critical software vs. six months for other software.

Redstone GCI can provide our clients with information and guidance in working with established industry-leading partners who can assist in fulfilling cybersecurity compliance requirements. Redstone GCI assists contractors throughout the U.S. and internationally with understanding the Government’s expectations and supporting contractors from contract award to contract closeout. We would be happy to be part of your team.

Contact Us for a Consultation

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: DFARS Business Systems, Contractor Purchasing System Review (CPSR), Cybersecurity