Self-Attestation for M-22–18

Two years ago, Executive Order 14028 ("Improving the Nation's Cybersecurity") highlighted the importance of updating the Nation's cyber hygiene.

In September 2022, the Office of Management and Budget (OMB) made it actionable by rolling out memo M-22–18 ("Enhancing the Security of the Software Supply Chain through Secure Software Development Practices").
M-22–18 outlines part of the EO14028 implementation plan for Federal agencies.

The memo, in turn, focuses on two artifacts to establish the security and maturity of a software producer's development practices.

• A self-attestation form declaring the producer's development practices

• Software Bill of Materials (SBOM) per product version declaring the composition of the software

While the specification and requirements for SBOM have been well established with NTIA's Minimum Elements for a Software Bill of Materials, the requirements for the self-attestation have been a work in progress (and it will be interesting to see how the deadlines — July for critical software and September for all other software — can be managed).

On April 27, CISA rolled out the specifics of the self-attestation form for public comments. The form leans heavily on Practices and Tasks specified in the NIST SP 800–218 ("Secure Software Development Framework") revised to version 1.1 for the Executive Order.

While the requirements can still change after the end of the public comments period (June 26, 2023), Interlynk has mapped out self-attestation requirements in an easy-to-follow format to help organizations get a head start.