CISA, OMB release secure software development attestation form
Makers of software used by the federal government will now be required to affirm that their products are manufactured with secure development practices in mind, filling out a form released Monday by the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget.
The Biden administration’s secure software development attestation form comes following “extensive stakeholder and industry engagement” intended to ensure that “the software producers who partner with the federal government leverage minimum secure development techniques and toolsets,” per a statement from the agencies.
In a blog post, Chris DeRusha, the federal chief information security officer and deputy national cyber director, and Eric Goldstein, CISA’s executive assistant director for cybersecurity, said that the release of the form builds on the administration’s national cybersecurity strategy and on President Joe Biden’s 2021 executive order on improving the nation’s cybersecurity.
“By ensuring our Government uses software products from software producers that leverage best practices for secure development, we not only strengthen the security of the Federal Government, but drive improvements for customers across the globe,” DeRusha and Goldstein wrote. “We envision a software ecosystem where our partners in state and local government, as well as in the private sector, also seek these assurances and leverage software that is built to be secure by design.”
DeRusha and Goldstein noted that the new form reinforces CISA’s secure-by-design principles. Those principles, which are also followed by federal government partners and international allies, put the security onus on the software producer rather than the customer. Software should be developed with “radical transparency and accountability” by makers that have organizational structure and leadership aligned with those goals.
Speaking Wednesday at the Elastic Public Sector Summit, produced by FedScoop, Goldstein called CISA’s work to promote secure-by-design software one of the agency’s most important goals “for scale.”
“The most effective way to drive the security and scale of every enterprise is to actually use products that are … verifiably secure by design,” he said, adding that CISA “can’t do it without all of your help, referring to those from industry in attendance.
Specifically, the form’s checklist has callouts on secure principles, including: logging, monitoring and auditing of trusted relationships used for authorization and access; employing multi-factor authentication; encrypting sensitive data, like credentials; using automated tools to check for vulnerabilities; and maintaining trusted source code supply chains, among several others.
The form release comes a little less than a month after the public comment period closed for CISA’s request for feedback on its “secure by design” white paper, which pushed software manufacturers to adopt tougher security standards.