Request for Comment on Secure Software Development Attestation Common Form

Advancing progress toward a technology environment where all software products are safe and secure by design is a top priority for CISA, the broader U.S. government, and the global cybersecurity community. As a step on this journey, Executive Order 14028 and the Office of Management and Budget’s (OMB) M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, and OMB M-23-16, Update to Memorandum M-22-18, required development of a self-attestation form in which software producers serving the federal government will be required to confirm implementation of specific security practices.

On November 16, 2023, CISA released a 30-day Request for Comment to solicit public feedback on a draft Secure Software Development Attestation Common Form. CISA developed this draft form in close consultation with OMB and based upon practices established in the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF). CISA encourages all interested parties to:

• Review the Secure Software Development Attestation Common Form.
• Learn more about the form, visit Federal Register: Agency Information Collection Activities: Request for Comment on Secure Software Development Attestation Common Form.
• Written comments and recommendations for the proposed information collection should be sent to www.reginfo.gov/public/do/PRAMain. Find this information collection by selecting "Currently under Review - Open for Public Comments" or by using the search function.
• The comment period is open for 30 days. Comments will be accepted through December 18, 2023.