CISA to develop ‘self-attestation’ cybersecurity standards for federal software vendors 

The agency will create a standardized form for U.S. departments to collect proof that vendors comply with NIST standards.
CISA, DHS, Department of Homeland Security, RSA 2019
(Scoop News Group photo)

The White House tasked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to play a key role in deploying new cybersecurity guidelines the Biden administration rolled out Wednesday.

CISA will work with the Office of Management and Budget to create a “common form” that U.S. departments will use to show that software vendors have attested the technology they are selling to the government meets National Institute of Standards and Technology security guidelines.

The new self-attestation guidelines put the burden on the federal contractors to take additional steps to show their ware comply with supply chain security standards. CISA will have 120 days to create a form suitable for use by multiple agencies.

According to a White House memo, federal government departments will have 120 days to communicate to vendors the need to adhere to NIST standards, and to collect the relevant letters of attestation.


In addition, within a year CISA must establish plans for a governmentwide repository for software attestations and artifacts. Under the new guidance, CISA will also within 24 months evaluate requirements for the creation of a full federal interagency software artifact repository, and will publish updated guidance on software bill of materials for federal agencies if needed.

Software artifacts are the byproduct of software development and can help to describe the architecture, design and function of software. They can be used to provide an in-depth roadmap of the development process that can help establish the provenance of software.

The memo issued Wednesday morning and first reported by the Washington Post represents the latest policy initiative from the White House as the executive branch works to rapidly improve cybersecurity standards across federal agencies.

FedScoop previously reported details of the forthcoming guidance, which has raised concern among technology industry leaders.

Latest Podcasts