As contemplated by PilieroMazza’s recent blog, the Cybersecurity and Infrastructure Security Agency (CISA) released a notice and request for comments on a new requirement for software producers to provide self-attestations regarding their software and its compliance with the secure software development practices, as described in the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) (Special Publication 800–218). The Office of Management and Budget released a memorandum on September 14, 2022, requiring agencies obtain self-attestations from software producers before using their software. A draft version of the self-attestation form (Form) can be found here. Government contractors that produce and provide software to the government should become familiar with notable contents in the self-attestations, as described further below.

Who Is Required to Complete Attestations?

The term “software producer” is not defined but, on its face, it encompasses all firms that produce or develop software. These attestations will be required for:

1. software developed after September 14, 2022,
2. software that undergoes a major version change (e.g., using a semantic versioning schema of Major.Minor.Patch or the software version number goes from 2.5 to 3.0) after September 14, 2022, and
3. software where the producer delivers continuous changes to the software code (e.g., software-as-a-service products or other products using continuous...

Read Full Story: https://news.google.com/rss/articles/CBMiUWh0dHBzOi8vd3d3Lmpkc3VwcmEuY29tL2xl...