CISA issues draft attestation form for government software providers

Industry vendors have until June 26 to comment on the provisional document.
Close-up Of Hand Holding Pen Over Survey Form. (Image credit: Getty Images)

The Cybersecurity and Infrastructure Security Agency on Thursday published a draft attestation form for software providers working with federal government agencies.

The agency launched a 60-day request for comment period, during which industry is able to submit feedback on the document.

The new form was developed in collaboration with the White House and is based on practices established in the National Institute of Standards and Technology’s Secure Software Development Framework.

Software providers working with federal government agencies will shortly have to start signing the letters of attestation. The documents will be then collected by each department and held “in one central agency system” until CISA establishes a central repository.


Publication of the draft attestation letter format comes after the White House in a software supply chain memo issued last September set out new requirements for federal agencies to ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements.

As part of this, they will have to ensure that attestation forms are collected from software contractors they work with.

That memo is one of several policy initiatives from the White House intended to improve cybersecurity standards across federal agencies. 

In March, the Biden administration published a new national cybersecurity strategy, which sought to shift the responsibility for maintaining the security of computer systems away from consumers and small businesses onto larger software makers. 

The White House strategy document planted a major flag in this debate on the side of those who would like to expose software makers to face liability. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers,” the strategy document argued. 


Editor’s note, 5/1/23, 1:30 p.m. ET: This article was updated to clarify that government agencies will hold software providers’ letters of attestation on an interim basis while CISA creates a central repository for the documents.

Latest Podcasts