CISA Publishes Repository for Software Attestation and Artifacts
WASHINGTON - The Cybersecurity and Infrastructure Security Agency (CISA) announces today the availability of the Repository for Software Attestation and Artifacts that software producers who partner with the federal government can use to upload software attestation forms and relevant artifacts. Last week, CISA and the Office of Management and Budget (OMB) announced the secure software development attestation form, which enables software producers serving the federal government to attest to implementation of specific security practices.
Software integrity is key to protecting federal systems from malicious cyber actors seeking to disrupt our nation’s critical functions. This new repository will help federal agencies employ software from producers that attest to using sound secure development practices.
“Software underpins nearly every service our government delivers on behalf of the American people. This is why CISA and our partners are working to transform federal cybersecurity practices by advancing strong software development security practices for the software upon which Americans depend,” said Executive Assistant Director for Cybersecurity Eric Goldstein. “The repository for software attestation and artifacts will enable a standardized process for agencies and software producers that provides transparency on the security of software development. We look forward to further refining the process to continue elevating software security across the federal enterprise.”
OMB Memorandum M-22-18,” Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,” and OMB Memorandum M-23-16, “Update to Memorandum M-22-18,” limit agencies’ ability to use software that is not developed using secure practices. The attestation form will allow software producers to confirm that they follow those practices.
For more information, please visit: Secure Software Development Attestation Form.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.