On June 9, 2023, the Office of Management and Budget (OMB) issued M-23-16, Update to Memorandum M-22-18, providing an extension to the deadline for software developers to submit attestation forms to Federal agencies.
The original deadline was June 12, 2023, for critical software and September 14, 2023, for other software. However, on April 27, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft Secure Software Development Attestation Form and requested comments by June 26, 2023, from the public (see our Blog – Draft Self-Attestation Form for Software Producers Available for Comment by June 26, 2023).
Since the attestation form was still in draft form, OMB’s extended the deadline and provided other clarifications as follows:
Deadline Extension
Software producers must submit the Attestation form (referred to as the common form) to Federal agencies three months after the release of the final attestation form for critical software and six months after the release of all other software. OMB did not provide an estimated date for the issuance of the final form.
Third-Party Components
Software producers of third-party software components do not need to complete an attestation form. OMB clarified that the attestation must be prepared and submitted by the producer of the software end product because they are in the best position to ensure security. Therefore, software producers need to ensure they are addressing the security of third-party components incorporated into their software end product.
Freely Obtained and Publicly Available Proprietary Software
Attestation forms are not required from software producers for proprietary products but are freely obtained and publicly available. This includes software applications, such as web browsers which are offered to members of the public at no cost.
Federal Contractor Developed Software
Although the guidance states that Agency-developed software under a Federal contract does not require an attestation, it depends. If a contracting agency is unable to ensure that secure software development practices are followed through the entire software development lifecycle (i.e., requirements, design, development, testing, deployment, and maintenance), an attestation form may be required. Agency Chief Information Officers (CIOs) will make the determination. Federal agencies may request an attestation form for software developed under a Federal contract based on the CIO’s determination.
Guidance on the Use of Plans of Action and Milestones (POA&Ms)
This guidance has not really changed from the original OMB memorandum. The good news is that an agency may still use the software if the producer:
- Identifies the practices to which they cannot attest
- Documents practices in place to mitigate associated risks and
- Submits a satisfactory POA&M to an agency.
Agencies can work with software producers who do not meet the minimum requirements if the agency finds the documentation, including the POA&M is in place and satisfactory. If the agency finds a software producer’s documentation is unsatisfactory, the OMB guidance states the agency must discontinue the use of the software.
Redstone recommends software producers be on the lookout for the final Attestation Form since an estimated issuance date was not provided. In the meantime, companies should review the “draft” attestation form to gain an understanding of the specific controls that software producers must comply with, including software in third-party components used in its end product. Contractors should also determine if the software they provide is considered critical or not. The time difference for submitting the attestation form is three months if critical software vs. six months for other software.
Redstone GCI can provide our clients with information and guidance in working with established industry-leading partners who can assist in fulfilling cybersecurity compliance requirements. Redstone GCI assists contractors throughout the U.S. and internationally with understanding the Government’s expectations and supporting contractors from contract award to contract closeout. We would be happy to be part of your team.