In recent years, the federal government has heightened its focus on the security of the software supply chain, mandating stringent measures for software producers. As part of this initiative, the Executive Office of the President issued two key memoranda: M-22-18 and its update M-23-16. These memos require agencies to ensure software producers implement and attest to secure software development practices. This is where TestPros can step in as your trusted third-party assessor, providing the expertise and independence needed to meet these requirements.
Understanding the Requirements
The Office of Management and Budget (OMB) memos indicate that a software producer needs to self-attest or have a third-party assessment of practices for producing software securely. In place of a self-attestation, an acceptable assessment is done by an agency-approved assessment organization.
The Role of FedRAMP and CISA
The Federal Risk and Authorization Management Program (FedRAMP) has collaborated with OMB in adding further clarity to the requirements. They specifically allow independent assessments conducted by a 3PAO or an agency-approved assessment organization based on NIST Guidance. The evaluation would ensure that secure development practices were adhered to by software producers.
To facilitate this, the Cybersecurity and Infrastructure Security Agency (CISA) developed a portal through which software producers would submit their Secure Software Development Attestation Forms or third-party assessments. This central repository is to help the agencies collect and authenticate such attestations by the software producers in their quest for compliance with the mandates.
How TestPros Can Help
We are prepared to act as your Third Party Assessor here at TestPros, to render a complete assessment, ensuring your software makes the mark on all the security requirements. This includes:
- Developing the Secure Software Development Attestation Form: Collaborate with your team to ensure the attestation form is fulfilled end-to-end.
- Independent Assessments: Provide independent and complete security assessments, based on NIST guidance to ensure your software development practices meet federal requirements.
- Submission to CISA Repository:We assist in the submission of the attestation form or assessment to the CISA Repository for Software Attestations and Artifacts, ensuring visibility to all current and potential agency customers.
Deadlines to Remember
- Critical Software: Attestations for software deemed “critical” by agencies were due by June 8, 2024.
- All Other Software: Attestations for all other software are due by September 8, 2024.
Actions Required for CSPs
- Review the Memos: Develop an understanding of the attestation requirements identified in M-22-18 and M-23.
- Document Upload: If you have a signed copy of your Software Development Attestation Form or third-party assessment, upload it into the CISA Repository AND your FedRAMP secure repository.
- Notify Stakeholders: Email all agency customer Authorizing Officials (or ISSOs) and FedRAMP to alert them of the action taken.
Why Choose TestPros?
TestPros has experience conducting independent assessments against some of the world’s most widely used security frameworks. TestPros customers benefit from a depth of experience performing independent assessments for NIST 800-171, DFARS 7012, NIST 800-53, and others. We have been proven to support government and commercial organizations toward reaching stringent contract requirements and improving their security postures.
Working with TestPros means you can rest assured that your software development practices attain the highest security levels, giving your agency customers peace of mind with their compliance while further developing the mutual trust established with them. For more information on how we may assist you as a Third-Party Assessor, please contact us today. Let TestPros be your partner of trust in achieving secure software development compliance.
