Repository for Software Attestations and Artifacts (RSAA) User Guide
The Repository for Software Attestations and Artifacts (RSAA) User Guide provides users with instructions to create an RSAA account, the required CISA Okta Partner Platform account with multifactor authentication (MFA) and use the RSAA application effectively. The RSAA application serves as a repository for all software producers’ Attestations.
The Secure Software Development Attestation Form may be found at Secure Software Development Attestation Form. CISA's repository for online form submission is https://softwaresecurity.cisa.gov.
OMB issued memorandum M-22-18 on 14 September 2022. Due to the importance and scope of the Federal Government’s information and communications technology (ICT) products and services, Memorandum 22-18 was drafted to ensure software integrity. Software integrity is key to protecting Federal systems from nation state and criminal actors seeking to disrupt our nation’s critical functions. The goal is to reduce overall risk from cyber-attacks. One way to achieve this is by Federal agencies only using software from software producers who can attest to complying with the Government-specified secure software development practices, as described in the NIST Guidance.
Following the issuance of M-22-18, on 09 June 2023, OMB issued memorandum M-23-16. OMB Memorandum M-23-16 reinforces the requirements established in M-22-18, reaffirms the importance of secure software development practices, and extends the timelines for agencies to collect attestations from software producers. Additionally, this memorandum provides supplemental guidance on the scope of M-22-18’s requirements and on agencies’ use of Plan of Actions and Milestones (POA&Ms) when a software producer cannot provide the required attestation but plans to do so. To the extent any provision of this memorandum may be read to conflict with any provision of M-22-18, this memorandum is controlling.
The RSAA serves to satisfy the requirements set forth in M-22-18 and M-23-16.
Note: CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email TOC@mail.cisa.dhs.gov. To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.