Secure Software Development Attestation Form

[This post was previously published as Self-Attestation for M-22–18 and is now revised for the final form]

‍Three years ago, Executive Order 14028 (“Improving the Nation’s Cybersecurity”) highlighted the importance of updating the Nation’s cyber hygiene.

‍In September 2022, the Office of Management and Budget (OMB) made it actionable by rolling out memo M-22–18 (“Enhancing the Security of the Software Supply Chain through Secure Software Development Practices”).
M-22–18 outlines part of the EO14028 implementation plan for Federal agencies. M-23–16 added further clarifications to those requirements.

‍Those memos, in turn, focuses on two artifacts to establish the security and maturity of a software producer’s development practices.

• A self-attestation form declaring the producer’s development practices

• Software Bill of Materials (SBOM) per product version declaring the composition of the software

‍While the specification and requirements for SBOM have been well established with NTIA’s Minimum Elements for a Software Bill of Materials, the requirements for the self-attestation were finalized and released on March 8, 2024.

‍The form leans heavily on Practices and Tasks specified in the NIST SP 800–218 (“Secure Software Development Framework”) revised to version 1.1 for the Executive Order.

‍Interlynk has mapped out self-attestation requirements in an easy-to-follow format to help organizations get a head start.