On March 11, 2024, the Cybersecurity and Infrastructure Security Agency ("CISA") and the Office of Management and Budget ("OMB") released the highly-anticipated Secure Software Development Attestation Form (also known as the "Common Form") and on March 18, 2024 CISA's repository for the forms went live.
The Common Form will be used by federal agencies to obtain attestations from software developers regarding the security of their products, in accordance with Executive Order 14028 on Improving the Nation's Cybersecurity and OMB Memoranda M-22-18 and M-23-16.
In April 2023, CISA introduced the Initial Draft Common Form and in December 2023, CISA released the Revised Draft Common Form. We covered the key takeaways from the Initial Draft here and the Revised Draft here. CISA sought feedback from stakeholders and industry on the Revised Draft in a public comment period that closed on December 18, 2023.
Below are key changes from the December 2023 Revised Draft:
- The Common Form adds a fourth category of software products and components that do not require a Self-Attestation (i.e., third-party open source and proprietary components that are incorporated into the software end product used by the agency);
- In this version, the Common Form must be signed by the Chief Executive Officer ("CEO") of the software producer or their designee (rather than the Chief Operating Officer), who must be an employee of the software producer and have authority to bind the organization;
- The Common Form requires the relevant agency to take appropriate steps to ensure the software producer's Third Party Assessor Organization ("3PAO") assessment is not posted publicly, either by the vendor or by the agency itself;
- The Common Form notes that attestations are binding for future versions of the named software product unless and until the software producer notifies the relevant agencies that its development practices no longer conform to the required elements that are specified in the attestation;
- The Common Form softens the requirement that the software producer maintain provenance for internal code and third-party components incorporated into the software by adding to the greatest extent feasible; and
- The Common Form clarifies that signing the attestation means that software producers are attesting to adhering to the secure software development practices for code developed by the producer.
OMB M-23-16 requires agencies to collect attestations from software producers for "critical" software no later than three months after the CISA common self-attestation form is approved by OMB and for all other software, within six months.
Neither the March 11, 2024 announcement nor the March 18, 2024 announcement from CISA address these timelines.
It is important for impacted software producers to begin reviewing the Repository website, request an account if needed, and prepare to submit Common Forms. Generally, we would expect these requirements to be set forth in a contract or agreement for them to be effective, so companies should consider the legal implications of the attestation and associated timing before submitting the form.
If you have questions about the Common Form or secure software development practices more generally, Sheppard Mullin's Governmental Cybersecurity and Data Protection Team is here to help.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.