The Biden administration approved a long-awaited secure software development attestation form, part of a yearslong effort to secure the nation’s software supply chain through more robust enforcement mechanisms.
The form, which the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget released Monday, is designed to ensure software producers working with the U.S. government comply with standards for secure development.
“Software underpins nearly every service our government delivers on behalf of the American people,” Chris DeRusha, federal CISO and deputy national cyber director, and Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a blog post released Monday.
The two officials cited Executive Order 14028, which led to a series of measures designed to bolster the nation’s cybersecurity in the wake of the Sunburst supply chain attack. The attack, attributed to state linked threat actor Nobelium, led to compromises impacting numerous SolarWinds customer environments.
CISA sought extensive industry input on the attestation form, which calls for companies working with federal agencies to comply with minimum standards for secure development practices.
Failure to provide the information requested on the form could result in the agency no longer using that particular software. A willfully false or misleading disclosure could also violate criminal statutes.
“Attestation is now a hard requirement that will be enforced during the procurement or renewal process,” Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, said via email.
Among the secure practices included in the guidelines, they include separation of production and development environments, use of multifactor authentication, regular logging and monitoring and other factors, according to Chris Hughes, chief security advisor at Endor Labs.
“This will force systemic changes among software suppliers currently or looking to sell to the federal government and adopting baseline fundamental secure development practices,” Hughes said via email.