CISA Secure Software Development Attestation Form (Draft)

Attestation and Signature

On behalf of the above-specified company, I attest that [software producer] presently makes consistent use of the following practices, drawn from the secure software development framework (SSDF), in developing the software identified in Section I:

1. The software is developed and built in secure environments. Those environments are secured by the following actions, at a minimum:
   1. Separating and protecting each environment involved in developing and building Software;
   2. Regularly logging, monitoring, and auditing trust relationships used for authorization and access:
      1. to any software development and build environments; and
      2. among components within each environment;
   3. Enforcing multi-factor authentication and conditional access across the environments relevant to developing and building software in a manner that minimized security risk;
   4. Taking consistent and reasonable steps to document as well as minimize use or inclusion of software products that create undue risk within the environments used to develop and build software;
   5. Encrypting sensitive data, such as credentials, to the extent practicable and based on risk;
   6. Implementing defensive cyber security practices, including continuous monitoring of operations and alerts and, as necessary, responding to suspected and confirmed cyber incidents;
2. The software producer has made a good-faith effort to maintain trusted source code supply chains by:
   1. Employing automated tools or comparable processes; and
   2. Establishing a process that includes reasonable steps to address the security of third-party components and manage related vulnerabilities;
3. The software producer employs automated tools or comparable processes in a good-faith effort to maintain trusted source code supply chains;
4. The software producer maintains provenance data for internal and third-party code incorporated into the software;
5. The software producer employs automated tools or comparable processes that check for security vulnerabilities. In addition:
   1. The software producer ensures these processes operate on an ongoing basis and, at a minimum, prior to product, version, or update releases; and
   2. The software producer has a policy or process to address discovered security vulnerabilities prior to product release; and
   3. The software producer operates a vulnerability disclosure program and accepts, reviews, and addresses disclosed software vulnerabilities in a timely fashion.

I attest that all requirements outlined above are consistently maintained and satisfied. I further attest the company will notify all impacted agencies if conformance to any element of this attestation is no longer valid.

Please check the appropriate boxes below, if applicable:

• There are addendums and/or artifacts attached to this self-attestation form, the title and contents of which are delineated below the signature line.
• I attest that the referenced software has been verified by a certified FedRAMP Third Party Assessor Organization (3PAO) or other 3PAO approved by an appropriate agency official, and the Assessor used relevant NIST Guidance, which includes all elements outlined in this form, as the assessment baseline. Relevant documentation is attached.

References

The Draft of the Secure Software Development Self Attestation Form available on cisa.gov, was released as part of a Request For Comments on April 27, 2023. Comments are due on June 26, 2023.

Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States.