Software Developments: CISA Finalizes Attestation Form, Triggering Secure Software Development Implementation
Client Alert | 2 min read | 03.21.24
On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.
Attestation Form Applicability and Content
The Attestation Form broadly requires software producers and suppliers of products containing software to affirm that their software development practices for in-scope software conform with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-218 and the NIST Software Supply Chain Security Guidance.
Per OMB M-22-18 and M-23-16, Attestation Forms will be required from producers of third-party software used by federal agencies if the software:
- is developed after September 14, 2023;
- is modified by major version changes after September 14, 2022; or
- is software to which the developer delivers continuous changes to the software code (e.g., software-as-a-service (SaaS) offerings or other products using continuous delivery/continuous deployment).
“Software” subject to attestation includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.
Attestation Deadline
M-23-16 explained that Attestation Form submissions would be due:
- for “critical software,”[1] no later than three months following OMB approval of the Attestation Form under the Paperwork Reduction Act (PRA), or
- for all other in-scope software, no later than six months following OMB PRA approval.
OMB apparently provided PRA approval on March 8, 2024, suggesting that the respective submission deadlines will fall three and six months after that date. Separately, CISA published the Attestation Form on March 11 but has yet to confirm the submission deadlines. Crowell continues to monitor updates from OMB and CISA, and we will update this alert when the Attestation Form submission deadlines are confirmed.
[1] As defined in OMB Memorandum M-21-30.
Contacts
Senior Counsel
She/Her/Hers
Insights
Client Alert | 3 min read | 05.20.25
On May 19, 2025, Deputy Attorney General Todd Blanche issued a Memorandum creating the Civil Rights Fraud Initiative that will “utilize the False Claims Act to investigate and . . . pursue claims against any recipient of federal funds that knowingly violates federal civil rights laws.” According to the Memorandum, though racial discrimination has “always been illegal,” the Administration posits that “many corporations and schools continue to adhere to racist policies and preferences—albeit camouflaged with cosmetic changes that disguise their discriminatory nature.” In an effort to prevent federal funds from being used in connection with or support of these purportedly racist policies and preferences, the Initiative will wield the power of the False Claims Act, the government’s most powerful tool to fight fraud, waste, and abuse.
Client Alert | 8 min read | 05.19.25
Client Alert | 2 min read | 05.19.25
