Tech group seeks clarification on attestation alignment, provenance definition in latest draft of secure software common form

The Information Technology Industry Council wants the Cybersecurity and Infrastructure Security Agency to provide details on how it plans to align requirements and define “provenance,” following the release of the second draft common form for contractors to self-attest the security of their software offerings.

CISA and the Office of Management and Budget in April published the first version of the form for public comment. Several groups and individual companies submitted comments to CISA on the draft form identifying...