Hi All,
CISA just published the CISA Secure Software Development Attestation Form Instructions.
The Federal Risk and Authorization Management Program (FedRAMP) and OMB worked together to provide further clarity related to OMB M-22-18. M-22-18 mentions FedRAMP and states that a third-party assessment is acceptable instead of a software producer's self-attestation:
"A third-party assessment provided by either a certified FedRAMP Third Party Assessor Organization (3PAO) or one approved by the agency shall be acceptable instead of a software producer's self-attestation…provided the 3PAO uses the NIST Guidance as the assessment baseline."
A FedRAMP third-party assessment organization (3PAO) or agency-approved (in writing) assessment organization may independently assess the requirements outlined in the Secure Software Development Attestation Form. Alternatively, a software producer can attest to complying with these requirements by completing and signing the Secure Software Development Attestation Form.
CISA has developed a portal for software producers to submit a signed copy of the Secure Software Development Attestation Form or a third-party assessment referenced above. Agencies can utilize this central repository to collect attestations for software subject to the Memos. Additionally, CSPs must upload a signed copy of the Secure Software Development Attestation Form or third-party assessment to the incident response folder in their respective FedRAMP secure repository. This will allow visibility to all current and potential customers.
CSPs and agency customers should confer to determine agency requirements, including scoping, and to determine the agency's categorization of software (whether the agency considers the software "critical" software). "Critical" software attestations were due by June 8, 2024, whereas all others are due September 8, 2024.
ACTIONS REQUIRED FOR CSPS
FedRAMP emphasizes that Cloud Service Providers (CSPs) must provide self-attestation or a third party assess if any of the conditions are met:
-The software was developed after September 14, 2022;
-The software was developed before September 14, 2022, but was modified by major version changes (e.g. using a semantic versioning schema of Major.Minor.Patch, the software version number goes from 2.5 to 3.0) after September 14, 2022; or
-The producer delivers continuous changes to the software code (as is the case for software-as-a-service products or other products using continuous delivery/deployment).
Please see below for a breakdown of requirements:
-Review the attestation actions described within the Memos.
-Upload a signed copy of the Secure Software Development Attestation Form or a third-party assessment to the CISA Repository for Software Attestations and Artifacts AND the incident response folder in your respective FedRAMP secure repository. This will allow visibility to all current and potential customers.
-For "critical" software (as determined by your CSP customers), uploaded responses were due by 11:59 PM Eastern Time on June 8, 2024.
-For all other software, please upload responses by 11:59 PM Eastern Time on September 8, 2024.
After completing each action above, we request that CSPs:
-Email all agency customer Authorizing Officials (or ISSOs) with notification of the completed action.
-Email FedRAMP with notification of the completed action at [email protected] using the following convention for your subject line: [CSP NAME | Package ID] - Response to OMB M-22-18/M-23-16
Note: Within the email body, please confirm that you completed the online form AND uploaded the attached template to your secure repository (see step 2 above).
-Upload a copy of your Email notifications to the incident response folder in your respective FedRAMP secure repository.
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe
------------------------------