Industry calls for clarity after White House extends software security form deadline

Software companies and industry leaders praised a White House decision to extend the deadline for agencies to begin collecting software security attestation forms from contractors, while calling for further clarity regarding the specific details that vendors will need to provide to the federal government.

Acquisition and Information Technology security officials previously raised concerns about the Office of Management and Budget guidance issued last year. The guidance required software vendors to attest to the security of their products for federal agency customers. However, some vendors said it lacked comprehensive information about the explicit criteria that should be included in their attestations.

Under the previous guidelines, agencies had until Monday to begin collecting the attestation forms from critical software providers, and a Sept. 14 deadline to collect the forms from all third-party software vendors. 

The new guidance says OMB will approve a common attestation form developed by the Cybersecurity and Infrastructure Security Agency before providing agencies with three months to collect the forms from critical software providers, and six months for all software vendors on their networks.

The updated guidance also places a significant amount of responsibility on major software providers. It requires only the suppliers of final software products to submit attestation forms, rather than requiring every third-party provider of components included in the software products to file their own attestations as well.

"Major software providers are now, more than ever, key stakeholders in maintaining a strong cyber posture for federal entities," Varun Badhwar, CEO and co-founder of open source software security startup Endor Labs, told Nextgov/FCW. "This added responsibility could also influence the larger software industry, encouraging more widespread adoption of secure development practices even outside of the scope of federal contracts, due to the influence of these major providers in the market."

The additional time will allow software providers and federal agencies to align themselves more effectively with OMB's software security requirements, according to Bill Wright, head of global government affairs for the software company Elastic.

OMB's deadline extension "reflects an understanding that such a significant transition is better done right than fast," Wright said.

"However, during this period, it's crucial that agencies don't get out ahead of OMB, ensuring that there is a harmonized, coordinated approach," he added.

OMB issued the initial guidance in part as a response to a major software supply chain attack in 2020, when hackers compromised the infrastructure of the IT managed services provider SolarWinds and added malware into a software update that was then uploaded onto multiple federal agency networks. 

It remains unclear when CISA and OMB will finalize the common attestation form, though a draft version published in late April was largely based on the National Institute of Security and Technology's Secure Software Development Framework. 

"The wild card here is when will OMB finalize the form?" said Chris Wysopal, founder and chief technology officer of the application security firm Veracode. "Providers that are not following the practices that end up included on the form will need to create a plan of action and milestones. That is what providers need the time for once the form is finalized."

Some other key questions about the forthcoming common attestation form remain unanswered, particularly around the explicit criteria vendors will need to attest to in order to ensure the security of their products.  

"Attesting that software is developed and built in 'secure environments' is rather ambiguous without further definitions and details," Wright said. "It’s important for the form to detail specific steps that a software vendor can attest to have taken."

OMB and CISA did not immediately return requests for comment.