For GSA, a new step to secure the software acquisition process begins
Starting this week, the General Services Administration is collecting common forms for new software contracts from providers and contractors in accordance with a 2022 Office of Management and Budget memo regarding software supply chain security.
In a May memorandum, GSA announced that beginning June 8, the agency would start collecting information for new contracts of all sizes — including “micropurchases” — from software offerers and contractors. That information would attest to government-specified secure software development practices.
Nick Mistry, the chief information security officer for Lineaje, a software supply chain security management company, said in an interview with FedScoop that he believes GSA’s June 8 start for the new guidance is “a really good thing for both the industry and government.”
The self-attestation requirements “will obviously add another step in the process, but it’s a very necessary step,” Mistry said. “Will there be a period of confusion where people don’t know exactly what’s required, both on the government side as well as industry side? But I think those things will just shake out over time. I think the net benefit is all positive.”
A GSA spokesperson said in an email to FedScoop that the agency “held multiple industry listening sessions before crafting our implementation of OMB memos M-22-18 and M-23-16. GSA took feedback from these sessions into consideration while also ensuring we met the deadlines in the OMB memoranda.”
The spokesperson noted that the agency “met the deadline for implementation to best support our customer agencies” and integrated the self-attestation form into its existing IT standards process to make attesting “as frictionless as possible” for the GSA’s vendors.
The GSA is encouraging software vendors to create an account on the Cybersecurity and Infrastructure Security Agency’s repository website, the spokesperson added.
In March, CISA released the Secure Software Development Attestation Form, which required the companies that manufacture software used by the federal government to “attest to the adoption of secure development practices.” That form could either be submitted to a repository or emailed to the relevant agency.
GSA noted in its May memorandum that while the agency already had a requirement for its IT department to “approve software before it could be acquired and used,” the OMB memo mandated the department to update “how it collects, reviews, retains and monitors industry attestation information.”
