Request for Comment on Secure Software Development Attestation Common Form

Advancing progress toward a technology environment where all software products are safe and secure by design is a top priority for CISA, the broader U.S. government, and the global cybersecurity community. As a step on this journey, Executive Order 14028 and the Office of Management and Budget’s (OMB) M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, and OMB M-23-16, Update to Memorandum M-22-18, required development of a self-attestation form in which software producers serving the federal government will be required to confirm implementation of specific security practices.

On November 16, 2023, CISA released a 30-day Request for Comment to solicit public feedback on a draft Secure Software Development Attestation Common Form. CISA developed this draft form in close consultation with OMB and based upon practices established in the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF). CISA encourages all interested parties to: