White House extends timeline for collection of attestation forms from software vendors
The Office of Management and Budget has extended the deadline by which federal agencies must collect forms of attestation from software vendors, FedScoop has learned.
Agencies will now have three months from finalization of the secure software attestation form to submit the documents from vendors for critical software. For non-critical software, departments will have six months to collect the documents from vendors.
Previously, federal agencies had until June 11 to collect the forms from providers of critical software and until Sept. 14 from providers of non-critical software. The prior deadlines were included in a White House software supply chain memo, which was issued in September.
Details of the timeline extension come amid a delay in finalization of the secure software attestation form, according to a senior official. An initial draft version of the attestation form was published last month by the Cybersecurity and Infrastructure Security Agency. Stakeholders have until June 26 to comment on that document as part of a 60-day comment period.
Each agency is responsible for collecting the forms and holding them in a central agency system until CISA establishes a central repository for storing them.
The White House’s cyber supply chain memo from September is one of several recent policy initiatives spearheaded by the White House to improve cybersecurity standards across federal agencies.
In March, the Biden administration published a new national cybersecurity strategy, which sought to shift the responsibility for maintaining the security of computer systems away from consumers and small businesses onto larger software makers.
That strategy document planted a major flag in the debate over whether software makers should be exposed to further liability claims. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers,” the strategy document argued.