The Cybersecurity and Infrastructure Security Agency is asking for public feedback after it released a form that software producers must provide assurance their applications meet minimum development standards, part of a plan to help the technology industry reach compliance with new federal requirements for software security.
CISA on Thursday released the common form for producers to self-attest that software provided to the federal government is secure. The comment period is open 60 days, through June 26.
The White House released guidance in September 2022 through the Office of Management and Budget that called for third-party software vendors to comply with minimum security standards under guidelines developed by the National Institute of Standards and Technology.
Filling out the self-attestation form is considered mandatory and failure to comply could result in an agency no longer using that vendor’s software. Providing false and misleading information on the form could subject the violator to criminal penalties.
The plan was part of President Joe Biden’s 2021 Executive Order that called for several measures to strengthen software security following the supply chain attack that hit SolarWinds and the Colonial Pipeline ransomware attack.
Tom McNamara, founder and CEO of Hopr, said the self-attestation requirement is “pretty weak standard,” that will not achieve the level of compliance necessary to make sure software is truly meeting the necessary level of security.
“I see this form as a simple compliance activity necessary to meet the federal executive policy,” McNamara said via email. “But it doesn’t meet the zero trust standard.”
Industry compliance standards usually require a much more rigorous level of scrutiny, McNamara said. Cloud computing, for example, has public key infrastructure certificates that establish digital asset identity, vetted by a third party.
A spokesperson for CISA did not return a request for comment.