Advancing progress toward a technology environment where all software products are safe and secure by design is a top priority for CISA, the broader U.S. government, and the global cybersecurity community. As a step on this journey, Executive Order 14028 and the Office of Management and Budget’s (OMB) M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, required the development of a self-attestation form in which software producers serving the federal government will be required to confirm the implementation of specific security practices.
On April 27, CISA released a 60-day Request for Comment to solicit public feedback on a draft self-attestation form. CISA developed this draft form in close consultation with OMB and based upon practices established in the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF). CISA encourages all interested parties to:
- Review the Secure Software Development Attestation Common Form
- To learn more about the form and comment submission process, visit: Federal Register: Agency Information Collection Activities: Request for Comment on Secure Software Development Attestation Common Form
- To submit feedback, click the comment box at the top of Regulations.gov. The comment period is open for 60 days. Comments will be accepted through June 26, 2023.