Telecom groups ask for clarification over how CISA will define ‘products’ in context of common form to self-attest software security

Industry groups representing the communications sector are asking CISA for details on definitions in the agency’s draft common self-attestation form for software security including what should be considered a “product” and the role of a “software producer.”

“While the Draft Common Form’s instructions and background materials reference E.O. 14028, OMB M-22-18, and the SSDF, CISA has not adopted clear definitions from those documents in its draft. Implicit incorporation by reference is not sufficient in this instance,” wireless group CTIA writes...