Trade group calls on White House to clarify cybersecurity self-attestation proposals for software providers

The Information Technology Industry Council says its members need further details on the scope of new requirements that would require software vendors working with federal agencies to provide cybersecurity self-attestation.
WASHINGTON, DC - MARCH 30: Director of the Office of Management and Budget (OMB) Shalanda Young testifies before the Senate Budget Committee. (Photo by Kevin Dietsch/Getty Images)

The Information Technology Industry Council has called on the White House to clarify proposals that would require software providers to attest to the security of their products when selling to federal agencies.

In a letter sent to Office of Management and Budget Director Shalanda Young on Nov. 21, the trade group said that technology providers would need further specific details before the new guidelines are rolled out.

It comes after the White House in September set out expectations that federal agencies will have to obtain self-attestation before deploying a software provider’s product on government systems.

ITI said the Biden administration should ensure that all federal agencies use the same form when requesting evidence of self-attestation from software providers, with the option to request addendums for mission-unique needs.


The trade group added that OMB should adjust the current implementation timeline of the proposals to allow for a standardized rollout and also that it should discourage agencies from requiring artifacts until software bills of materials are scalable and consumable.

It also petitioned the White House to pilot the collection of attestations and artifacts before pushing ahead with the implementation of requirements.

“To support the effective and consistent implementation of the government’s cybersecurity objectives, we call upon OMB to use its role in establishing cross-government objectives and timelines for the rollout of secure software development lifecycle requirements to maximize harmonization and built-in flexibility while software producers work to comply with new guidance on short notice,” ITI said in its letter.

Under the guidance, federal agencies would have to ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements and get proof of conformance from vendors.

The September memo on self-attestation represented the latest policy initiative from the White House as the executive branch works to rapidly improve cybersecurity standards across federal agencies. FedScoop previously reported details of the forthcoming guidance, which had raised concern among technology industry leaders.


ITI is one of the largest trade groups representing the technology industry in Washington, D.C. Its members include Adobe, Amazon, Cisco, Fortinet, Google, IBM, Microsoft and Oracle.

Latest Podcasts