The Cybersecurity and Infrastructure Security Agency (“CISA”) recently revised its Secure Software Development Attestation Common Form (after receiving over 110 comments on the initial draft), and is seeking additional comments through December 18, 2023. This is an important opportunity for software producers (and others) to provide input that will help shape the future of software supply chain regulations. At a time when the federal government is struggling to harmonize myriad rules on cybersecurity and supply chain, recommendations from industry will be key.

Back in May, CISA released the first draft of the Secure Software Development Attestation Common Form. We previously covered this update on the Government Contracts Law Blog here.

As a refresher, this Common Form will be used by federal agencies to obtain attestation from software developers regarding the security of their products, in accordance with Executive Order 14028 on Improving the Nation’s Cybersecurity and Office of Management and Budget (“OMB”) Memoranda M-22-18 and M-23-16.

After receiving the initial round of comments, CISA revised the Common Form and released a notice on its Request for Comment on the Secure Software Development Attestation Common Form on November 16, 2023. This notice contains updates to the Common Form and provides 30 additional days for public comment. Below are some of the key updates.

Updates: Some of the key changes to the Common Form include the following:

1. Adding the option for either the software producer or the verifying FedRAMP Third Party Assessor Organization (“3PAO”) to attest to the software producer’s conformance.
   • In the initial draft, only the software producer could provide a self-attestation to conformance with the secure software development requirements.
2. If the 3PAO provides the attestation, the 3PAO assessment must be attached to the completed Common Form, in lieu of a signature.
   • In the initial draft, there was no option for the 3PAO to attest to the software producer’s conformance. This may make the option to use a 3PAO more attractive in some cases where it appears to shift the verification risk from the software producer to the 3PAO.
3. If the software producer provides the attestation, CISA limits signatory authority to only the company’s CEO or COO.
   • In the initial draft, the CEO may have been allowed to designate an employee to sign the attestation. This change likely reflects the government’s intent to enhance private sector corporate cyber responsibility amid recent large-scale cyber incidents.
4. Adding the language “to the best of my knowledge” after “I attest” in the attestation section.
   • This change may provide some protection where unforeseen information is discovered after attestation and likely reflects CISA’s attempt to respond to industry concerns regarding a potential increased risk for cyber-based liability under the False Claims Act, discussed here.

The Common Form drafts can be further compared at the following links: Initial Draft and Revised Draft.

Comment Period: The comment period on the revised draft is open until December 18, 2023. OMB is particularly interested in comments and recommendations that address whether this proposed collection of information is necessary for agency performance, whether the estimated burden statement is accurate, how to minimize this burden, and any recommendations that enhance the quality, utility, or clarity of information to be collected.

Comments can be submitted to http://www.reginfo.gov/public/do/PRAMain.