Enhances Software Development Rules with Enhanced Security Measures at the White House
The U.S. government has approved a new attestation form for software producers working with federal agencies, as part of the Biden administration's efforts to secure the software supply chain. This form, developed after seeking extensive industry input, is based primarily on the NIST Special Publication 800-218 framework, known as the Secure Software Development Framework (SSDF).
The SSDF outlines foundational secure software development practices that federal contractors are expected to follow. Key elements of the framework include incorporating security controls and practices throughout the software development lifecycle, risk assessment and mitigation activities, use of secure coding practices, regular testing and vulnerability identification, supply chain risk management steps, documentation, and compliance attestation.
Although there is some uncertainty surrounding the specific regulatory enforcement mechanisms after Executive Order 14306 issued in June 2025 removed earlier language directing the creation of a federal acquisition regulation (FAR) clause for attestation, software producers are now required to attest to compliance with these minimum standards during the procurement or renewal process.
Agencies may still rely on Office of Management and Budget (OMB) directives to enforce some form of attestation. The Cybersecurity and Infrastructure Security Agency (CISA) oversight/enforcement role remains unclear post-Executive Order 14306.
The attestation form is intended to promote the adoption of secure practices among software suppliers working with the U.S. government. It encourages software suppliers to adopt baseline fundamental secure development practices, such as multifactor authentication, separation of production and development environments, and regular logging and monitoring.
Failure to provide the requested information on the form could lead to the agency discontinuing use of the software. Willfully false or misleading disclosures on the form could potentially violate criminal statutes.
The attestation form is part of a years-long effort to secure the nation's software supply chain through more robust enforcement mechanisms. It forms part of a broader government strategy involving collaboration across agencies like the General Services Administration (GSA), National Institute of Standards and Technology (NIST), and others to secure the software and technology supply chains, including emerging technologies like AI.
Chris DeRusha and Eric Goldstein, officials from the Cybersecurity and Infrastructure Security Agency, discussed the form in a blog post. Chris Hughes, chief security advisor at Endor Labs, states that the form will force systemic changes among software suppliers working with federal agencies.
The form was released in response to Executive Order 14028, which aims to bolster the nation's cybersecurity. The attestation to the form is now a mandatory requirement, intended to help secure software underpinning services delivered by the U.S. government on behalf of the American people.
- The new attestation form for software producers working with federal agencies is based on the NIST Special Publication 800-218 framework, which emphasizes the adoption of secure practices in cybersecurity and technology.
- Key elements of the framework include the implementation of secure software development practices, such as multifactor authentication, separation of production and development environments, and regular logging and monitoring, which are intended to promote cybersecurity among software suppliers.
