A large software group is advocating for the federal government to use the self-attestation form for secure software development from CISA and the Office of Management and Budget as an acceptable way to satisfy the national cyber strategy’s proposal for establishing liability protections and a “safe harbor.”
CISA sought feedback in April on a draft common form for self-attesting compliance with the NIST Secure Software Development Framework as part of the agency’s work to fulfill a requirement from the 2021 cyber executive order. The public comment period concluded on Monday.
“The attestation form identifies multiple Administration priorities aimed at improving software security, including EO 14028 and the National Cybersecurity Strategy. These documents suggest shifting responsibility to software producers while simultaneously providing software producers that leverage best practices a safe harbor from liability,” BSA-The Software Alliance said in its comments.
BSA says, “As the National Cybersecurity Strategy, Strategic Objective 3.3 states, ‘the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software.’ BSA recommends DHS design the attestation form for the purpose of satisfying the requirements of a safe harbor identified in Strategic Objective 3.3 and support the use of the form for that purpose.”
BSA wants CISA to ensure reciprocity with the General Services Administration’s FedRAMP program. It says, “The draft attestation form provides that if a third-party assessor organization (3PAO) certifies the software using NIST guidance, then the software producer does not need to submit the attestation form.”
“It makes sense that a software producer that is certified under FedRAMP would be exempt from submitting an attestation form, as the SSDF practices and tasks reflected in the attestation form reference the security controls in NIST SP 800-53, a central element of FedRAMP. However, the attestation requirements do not necessarily always perfectly align with FedRAMP requirements,” according to BSA.
BSA argues that CISA should clarify that the certification from a 3PAO would meet the attestation form requirement even when a software producer’s FedRAMP certification doesn’t “perfectly align with the requirements of attestation.”
Further, BSA says if a 3PAO provides “relevant documentation to the Federal Government as part of the FedRAMP process” then it should not have to “provide the same relevant documentation as part of the attestation form process. This change would ensure the new common form process is integrated into existing FedRAMP processes as seamlessly as possible.”
BSA wants more clarity on the attestation “statements” in the form that a software producer must meet to reach compliance. They recommend making the attestation form “a one-level list of statements to which DHS will require a software producer to attest” and to “eliminate the SSDF practices or tasks from the attestation form.”
The software association says, “BSA appreciates DHS’s effort to ‘show its work,’ provide software producers with a helpful map to SSDF practices and tasks and clarify that agencies may request additional information from a vendor. However, including such information undermines the goal of the common attestation form, which is supposed to streamline the process and not create just another form for software producers to complete before they complete separate forms for every US Government agency.”
By stating that “this form does not require software vendors to use each of the [SSDF] practices and tasks identified or produce an SBOM,” BSA says CISA leaves open the opportunity for misrepresentation by agencies. BSA says agencies could conclude that each task or practice must be achieved for all software producers.
BSA says agencies could also interpret the form to mean that an SBOM is “worthwhile and thus require it.” The trade group says the form “creates confusion in its inclusion of Software Bill of Materials.”
The attestation “should be limited to the requirements, nothing else,” BSA says. Further, it says DHS and OMB should “actively encourage agencies to require only the common attestation form, after they have published the final version of the common form through compliance with the Paperwork Reduction Act.”
BSA provides specific comments on the substance of the form where they want to see clarification.
It concludes, “We hope DHS will strengthen the attestation form by ensuring that the attestation form is aligned with and supports the Administration’s broad software security goals; removing material that could be misinterpreted; and clarifying the substance of the statements to which a software produce must attest. We look forward to continuing to work with DHS on this important issue.”
Several groups including the Cybersecurity Coalition and tech companies submitted comments to CISA on the self-attestation form. OMB issued a memo on June 9 extending the deadline for agencies to start self-attestations from their vendors until after the CISA releases the final common form. -- Sara Friedman (sfriedman@iwpnews.com)