The Cybersecurity and Infrastructure Security Agency (CISA) announced on March 18 the availability of the Repository for Software Attestation and Artifacts that software developers can use to share software attestation forms and relevant artifacts.
The new repository will help Federal agencies ensure they procure software from producers that use secure development practices.
“Software underpins nearly every service our government delivers on behalf of the American people. This is why CISA and our partners are working to transform Federal cybersecurity practices by advancing strong software development security practices for the software upon which Americans depend,” Executive Assistant Director for Cybersecurity Eric Goldstein said in a March 18 press release.
“The repository for software attestation and artifacts will enable a standardized process for agencies and software producers that provides transparency on the security of software development,” Goldstein added. “We look forward to further refining the process to continue elevating software security across the federal enterprise.”
This action comes after CISA and the Office of Management and Budget (OMB) released a secure software development attestation form last week, which takes a crucial step towards ensuring Federal contractors provide secure products to the Federal government.
The form – which followed extensive stakeholder and industry engagement – will help to advance a key aspect of President Biden’s 2021 cybersecurity executive order on creating a more secure software supply chain.
The attestation form for software producers is also an integral part of an OMB directive issued in September 2022 that requires Federal agencies to take a range of actions to comply with National Institute of Standards and Technology (NIST) guidance on software security.
CISA said this week’s repository also aligns with the OMB directive, allowing software producers “to confirm that they follow those practices.”
According to OMB, Federal agencies have six months from the form’s finalization to start collecting attestations for all third-party software.
