On March 11, 2024 the Cybersecurity Infrastructure Security Agency (CISA), released the much anticipated final version of its common Secure Software Development Attestation Form.  Finalization of the form is a notable development for developers of software that is sold to the U.S. Government for two reasons.  First, the form is expected to be used widely by Government agencies to fulfill requirements set forth in recent OMB memoranda for those agencies to ensure that the software they procure or use is secure by requiring attestations from software developers.  Second, as set forth under OMB guidance, final approval of the form by the Office of Information and Regulatory Affairs (OIRA) triggers a countdown wherein agencies need to begin collection of the forms within three months for “critical software” and within six months for all other software.

As we described in more detail in a prior post, OMB issued a memorandum in September 2022 that directed federal agencies to collect attestations from software developers that those developers adhere to certain secure software development practices described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance (discussed here) (collectively, “NIST Guidance”).  “Software” is very broadly defined to include “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”  Covered software includes software that was developed or that underwent a major version change after September 14, 2022, as well as software that undergoes continuous updating.  OMB indicated in the memorandum that agencies would use a “common form” to collect these attestations. 

Although the requirements were initially slated to go into effect last year, OMB delayed the implementation in a subsequent memorandum that it issued in June 2023, which we discussed in another post.  As a result of the June 2023 memorandum, agencies are not required to comply with the requirements until a certain period after the common form was approved by OIRA.  Specifically, agencies must collect attestations for software developers within three months of the form’s approval for “critical” software, and within six months of the form’s approval and all other software within six months of the form’s approval. 

Plan of Action and Milestones (POA&Ms) are permitted under the current guidance, but acceptance of the POA&M is within an agency’s discretion, and agencies must specifically request extension of the deadline for attestation from OMB for that piece of software.  Agencies may also, in their discretion, choose to require the provision of additional materials, including software bills of materials (SBOMs). 

OMB has not released any updated guidance relating to secure software as of yet, and while an implementing FAR rule appears to be nearing completion of the interagency drafting and development process, it has not been released either.  Nonetheless, the conditions set forth in the June 2023 memorandum to start the three and six month clocks have now been met. 

Accordingly, software developers that sell products for end use by the U.S. Government are highly encouraged to assess their current state of compliance relative to the secure development practices now to identify any potential gaps that could cause concerns with customers and to begin addressing them.  Contractors are also encouraged to begin documenting the basis for the attestations that they will be required to make.

Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the proposed Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national…

Ryan Burnette advises defense and civilian contractors on federal contracting compliance and on civil and internal investigations that stem from these obligations. Ryan has particular experience with clients that hold defense and intelligence community contracts and subcontracts, and has recognized expertise in national security related matters, including those matters that relate to federal cybersecurity and federal supply chain security. Ryan also advises on government cost accounting, FAR and DFARS compliance, public policy matters, and agency disputes. He speaks and writes regularly on government contracts and cybersecurity topics, drawing significantly on his prior experience in government to provide insight on the practical implications of regulations.