Why government vendors will self-certify the security of their software products


Written by Dave Nyczepir

New guidelines released by the White House on Wednesday give agencies a timeline to begin obtaining self-attestations from software developers before using their products, rather than relying on third-party reviews.

Self-attestation refers to the documentation that developers must provide to demonstrate compliance with the secure software development framework. It’s a key framework that federal IT officials and the wider tech industry have been aware of since at least March, when the White House asked agencies to begin adopting it.

The details included in the latest OMB memo allay concerns expressed by IT and cybersecurity experts interviewed by FedScoop in June, who worried that it could require software developers to obtain third-party verification of their compliance, which would take years to set up sensors and monitor and ensure the existence of qualified auditors.

Speaking to FedScoop after the memo was released on Wednesday, Dan Lorenc, CEO of software security startup Chainguard, said the White House’s decision to start with self-attestation was “pretty obvious right from the start. beginning”.

“If they had done a third it would have been shocking at this point,” he added. According to Lorenc, this is the first step to “launch a complex ecosystem” in which suppliers will soon be required to assess their own suppliers in a wave that is likely to “spread through the industry quite quickly”.

Lorenc believes a shift to third-party reviews will happen at some point, a view not shared by everyone in the industry.

According to Henry Young, director of policy at industry group The Software Alliance, such assessments by a third-party vendor may not be necessary.

“What I see is that it’s likely that the majority of purchases can be made with a supplier’s attestation, rather than the more expensive third-party certification,” he said, pointing out that software vendors take the assurances they give very seriously because of their direct effect on customers.

The White House memo requires that any self-attestation include the name of the software developer, a description of the products involved, and a statement that the developer adheres to secure development practices.

Even so, agencies can still require third-party assessments based on risk-based determinations on the criticality of the product or service, according to the guidelines. These can be done by a Federal Risk and Authorization Management Program (FedRAMP) assessor or one they approve.

The Federal Acquisition Regulatory Council also plans to develop a standard self-attestation form for agencies.

Currently, basic scanning or software composition analysis tools are used after the software is created to generate a machine-readable software bill of materials (SBOM), but agencies can already do this. Modern SBOMs will be generated by developers and include more information for a more complete picture of the software supply chain, Lorenc said.

Despite recent efforts by lawmakers to codify SBOMs in the federal procurement process as part of the House spending bill, software developers want the government to clarify the artifacts – threat models, log entries , source code files and vulnerability scan reports – what they will contain and how to share them before proceeding.

The wording of this bill would prohibit the purchase of software containing known vulnerabilities.

“It’s the kind of thing that sounds great at first, until you get into the trenches and realize how messy a lot of these vulnerability databases are and how poor the data quality is” , added Lorenc.

SBOMs will only amplify this poor data quality, he said.

While Young is pleased that the White House memo includes many industry best practices regarding secure software development, capabilities, and lifecycle, he is disappointed that the same practices are not required within agencies and through software-developing contractors.

The memo also doesn’t outline how to streamline self-attestation across government.

“The guidelines do nothing to harmonize requirements across agencies,” Young said. “So that means vendors may have to provide the same or similar documentation to different agencies, which doesn’t seem like the best use of cybersecurity resources.”


Comments are closed.