Software Developments: CISA Finalizes Attestation Form, Triggering Secure Software Development Implementation
Client Alert | 2 min read | 03.21.24
On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) published an updated Secure Software Development Attestation Form, meaning that producers of software and providers of products containing software used by the federal government may be required to submit their attestations in the very near future. The Attestation Form, first published in April 2023, is a key cog in CISA’s implementation of software supply chain security requirements in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity and OMB Memoranda M-22-18 and M-23-16.
Attestation Form Applicability and Content
The Attestation Form broadly requires software producers and suppliers of products containing software to affirm that their software development practices for in-scope software conform with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-218 and the NIST Software Supply Chain Security Guidance.
Per OMB M-22-18 and M-23-16, Attestation Forms will be required from producers of third-party software used by federal agencies if the software:
- is developed after September 14, 2023;
- is modified by major version changes after September 14, 2022; or
- is software to which the developer delivers continuous changes to the software code (e.g., software-as-a-service (SaaS) offerings or other products using continuous delivery/continuous deployment).
“Software” subject to attestation includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.
Attestation Deadline
M-23-16 explained that Attestation Form submissions would be due:
- for “critical software,”[1] no later than three months following OMB approval of the Attestation Form under the Paperwork Reduction Act (PRA), or
- for all other in-scope software, no later than six months following OMB PRA approval.
OMB apparently provided PRA approval on March 8, 2024, suggesting that the respective submission deadlines will fall three and six months after that date. Separately, CISA published the Attestation Form on March 11 but has yet to confirm the submission deadlines. Crowell continues to monitor updates from OMB and CISA, and we will update this alert when the Attestation Form submission deadlines are confirmed.
[1] As defined in OMB Memorandum M-21-30.
Contacts
Senior Counsel
She/Her/Hers
Insights
Client Alert | 4 min read | 06.10.25
Trump Administration Cyber Executive Order Revises Prior Administrations’ Requirements
On June 6, 2025 President Trump signed an Executive Order, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 (the “Trump Cyber EO”). The Trump Cyber EO rescinds and modifies select Biden administration guidance from EO 14144 covering several cybersecurity regimes, including digital identity verification, artificial intelligence, and secure software development practices, and it amends Obama administration guidance from EO 13694 authorizing sanctions on persons involved in malicious cyber activities. We have provided a summary of significant changes made by the Trump Cyber EO below.
Client Alert | 19 min read | 06.09.25
Client Alert | 3 min read | 06.09.25
UK Strategic Defence Review 2025: Implications for Defence Contractors
Client Alert | 8 min read | 06.06.25
Litigation Funding Reforms: Clarity for UK Funders and Litigants Post-PACCAR
