On April 27, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) opened a 60-day public comment period to gather feedback on a draft self-attestation form. Developed in collaboration with the Office of Management and Budget (OMB), the form is based on the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF). This initiative aims to enhance the security of the software supply chain as outlined in Executive Order 14028.
The Cloud Service Providers-Advisory Board (CSP-AB) has officially responded to this draft, offering a detailed perspective to balance robust security measures with practical implementation for software providers.
Key Highlights from CSP-AB’s Feedback
- Leveraging FedRAMP Accreditation:
- CSP-AB strongly recommends utilizing FedRAMP baselines and existing processes to streamline compliance with the attestation requirements.
- A mapping exercise conducted by CSP-AB shows significant overlap between the attestation form and FedRAMP controls, highlighting the opportunity for reciprocity.
- Harmonization Across Frameworks:
- To reduce duplication, CSP-AB suggests that FedRAMP-authorized providers should not be required to provide additional attestations or documentation.
- Aligning guidance with the National Cyber Strategy’s focus on harmonization will improve efficiency and consistency.
- Reducing Artifact Burdens:
- Current processes allow agencies to request numerous additional artifacts even after 3PAO validation. CSP-AB recommends limiting these requests to cases of non-compliance or self-attestation.
- Addressing Time and Cost Challenges:
- CSP-AB challenges the form’s time burden estimate of 3 hours and 20 minutes, citing that completing attestations could take up to 40 hours per product for some providers.
- A recommended 180-day timeline for compliance will give software producers adequate time to meet the requirements.
- Rethinking SBOM Requirements:
- While Software Bill of Materials (SBOMs) can be useful for vulnerability management, CSP-AB warns against mandating their submission due to security and operational risks.
- Alternative approaches, such as focusing on provenance data, are encouraged.
- Supporting POA&M Flexibility:
- CSP-AB supports the use of Plans of Action and Milestones (POA&Ms) for incremental compliance and recommends mapping these through FedRAMP processes to ensure transparency and risk-based decision-making.
Looking Forward
CSP-AB’s detailed response underscores the need for a practical and efficient approach to implementing the secure software attestation requirements. By leveraging existing frameworks like FedRAMP and minimizing duplication, the federal government can achieve its security objectives without placing undue burdens on software providers.
Call to Action: Stakeholders are encouraged to review and engage with the draft attestation form to shape a secure, streamlined approach to safeguarding the nation’s software supply chain. Together, we can ensure both security and innovation in federal technology adoption.
For CSP-AB’s full response:
