Most Orgs Not Ready For New CISA Security Rules
CISA’s SECURE SOFTWARE DEVELOPMENT ATTESTATION FORM rule comes into effect next week.
It requires that companies that produce software and sell it to the government adhere to key security practices. It also requires that those developers attest to their practices.
In writing.
Signed by an executive of the company.
It applies to companies that do any of these:
- Developed software for the government after September 14, 2022
- Developed software before September 14, 2022 but made major version changes after that date
- OR Produces continuous changes as is the case for SaaS product or other products using continuous delivery/continuous deployment.
There are exemptions for:
- Software developed directly by federal agencies
- Open source software that is obtained directly by an agency
- Third party components (either open source or proprietary) that are integrated into the end software product used by an agency
- Software that is freely obtained and publicly available (I am not sure how this differs from the second bullet)
The software producer may choose to demonstrate compliance by submitting a third party assessment documenting conformance. That third party must either be a fedRAMP certified 3PAO or approved IN WRITING by an agency official.
The agency can still choose to use the software if the producer cannot attest to specific practices that are required, if they have practices in place to mitigate the threats and have a POAM with specific milestones and dates.
If the attestation is not provided, the agency must get a doctor’s note (waiver or extension) from the Office of Management and Budget.
For the most part, the required practices are things that you SHOULD BE doing already (although you may not be doing them), however, there are at least some of the requirements that you probably are NOT currently doing.
Secure software development practices are practices that every software developer should be doing but a large percentage are not.
New research from Lineaje says that 80 percent of companies are NOT READY to comply next week.
The report also says that 84 percent of the companies have not implemented software bills of materials (SBOMs) even though they became mandatory in May 2021.
Lineaje says that more than half of the respondents had not even heard of executive order 14028 and half of those familiar with it didn’t really know what was in it. Credit: Betanews
If you need help building a secure software development process or with complying with federal law regarding secure software development attestations, please contact us.