GSA takes new steps to secure the software acquisition process 

The General Services Administration (GSA) is now collecting common forms for new software contracts from providers and contractors, in compliance with the 2022 Office of Management and Budget (OMB) memo on software supply chain security. According to a May memo, GSA announced that starting June 8th, the agency would require information attesting to government-specified secure software development practices for new contracts of all sizes, including micro-purchases.

A GSA spokesperson informed FedScoop that the agency conducted multiple industry listening sessions to gather feedback before implementing the OMB memos M-22-18 and M-23-16. This feedback was integrated to ensure the deadlines in the OMB memos were met while supporting customer agencies. The spokesperson emphasized that the self-attestation form has been integrated into GSA’s existing IT standards process to facilitate compliance with minimal friction for vendors.

To streamline the attestation process, GSA is encouraging software vendors to create accounts on the Cybersecurity and Infrastructure Security Agency’s (CISA) repository website. In March, CISA released the Secure Software Development Attestation Form, requiring software manufacturers for the federal government to attest to secure development practices. This form can be submitted to a repository or emailed to the relevant agency.

GSA noted that while its IT department already required approval before acquiring and using software, the OMB memo mandated updates on how it collects, reviews, retains, and monitors industry attestation information.

The Daily Scoop Podcast is available every Monday-Friday afternoon.
If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts and Spotify.