The Cybersecurity and Infrastructure Security Agency is attempting to make cybersecurity a high-level issue for companies by only allowing top executives to sign off on a new secure software attestation form that will be used across the federal government.
The latest version of the form is now open for comment to CISA and the White House Office of Management and Budget through Dec. 18. Once the form is finalized, OMB will require agencies to start using the form within three months for all “critical software” and six months for most other third-party software.
After receiving more than 100 public comments, CISA made limited changes to the form.
One key difference is that only a software producer’s chief executive officer or chief operating officer will be able to sign the form. The previous version would have allowed a CEO to designate an employee to sign the attestation.
Jason Weiss, former Defense Department chief software officer and now COO of TestifySec, Inc., said the attestation “forces the C-suite and software engineers to have hard conversations.”
“In the past, there was very little reason for a COO or a CEO to go talk to an engineering manager or an engineering director to ask them about, ‘How do you make sure what you’re building is safe and resilient to the best that you can?’” Weiss said. “And now, because of this attestation, they realize that they have to walk the halls and open those doors and have those types of conversations where none existed before.”
And CISA Director Jen Easterly and other agency officials have also pushed the concept of “corporate cyber responsibility” amid growing international tensions and increasing cybersecurity incidents.
“CEOs and boards have to own cyber risk,” CISA Director Jen Easterly said in September at the Billington Cybersecurity Summit in Washington. “They can’t delegate that to CISOs and CIOs, and they have to make sure that their CISOs and CIOs are well resourced.”
The attestation form is also a key component of the national cyber strategy’s initiative to use the federal government’s purchasing power to improve cybersecurity and accountability in the private sector.
“There’s a lot of accountability pieces in here, and there’s a framework underneath it for what happens if you don’t comply, but you say you do,” Joel Krooswyk, the federal chief technology officer at GitLab, said in an interview.
The CISA form also comes amid a beefed-up Justice Department effort to enforce compliance with cybersecurity standards through the False Claims Act. Meanwhile, the Securities and Exchange Commission is suing SolarWinds and its chief information security officer, accusing them of misleading investors by not disclosing “known risks” and not accurately representing the company’s cybersecurity measures.
“I think that single action taken by the SEC has made everybody perk up in the C-suite and realize that this is something that I must pay attention to or risk peril, not only for the organization and its shareholders, but personal peril,” Weiss said.
While the threat of litigation may create some uncertainty for companies, CISA has also sought to respond to concerns about liability and overly burdensome requirements in the latest version of the attestation form.
The document now includes language around “good-faith” efforts to maintain trusted source code, while the executive signing the attestation is doing so “to the best of my knowledge.”
And instead of signing the form, a company can attest to the requirements by submitting an assessment completed by a Third Party Assessor Organization (3PAO), such as those done under the Federal Risk and Authorization Management Program (FedRAMP).
The Information Technology Industry Council (ITI) applauded those updates in a statement from Leopold Wildenauer, the senior manager for public sector policy.
“We encourage CISA and OMB to continue this partnership with trusted industry partners as the agencies address outstanding issues like the definition of responsibilities for complex systems and the development of a secure and centralized repository,” Wildenauer said.
Even if a software producer cannot attest to meeting the requirements in the form, an agency can still use the software if the company documents those gaps in a plan of actions and milestones (POA&M). However, agencies must still get an OMB extension or waiver to continue using the software.
The form also allows agencies to seek Software Bills of Material (SBOMs) or other “artifacts” that help document whether a company’s product meets secure development practices. Some industry groups had pushed for CISA to drop references to the SBOM, arguing the concept was not yet mature enough to be included in procurement documents.
But Megan Brown, a cybersecurity attorney at Wiley Rein, said the attestation form is another requirement in an increasingly crowded room of cybersecurity rules and regulations. She pointed to the Federal Acquisition Regulatory Council’s proposed cyber rules published earlier this fall.
“There’s so many other activities underway, so I think there’s a question of, is this the best way to achieve their goals, which is to grab the procurement process and try and be aggressive using it, rather than letting some of these other processes play out?” Brown said.
Weiss also pointed out that the attestation form requirement provides few, if any, specific details to agency authorizing officials about a company’s software security practices and controls.
“We understand as an industry that something has to change, and that this is probably the first step in a marathon of changes that will have to happen for us to have a more resilient software supply chain,” Weiss said. “But everybody recognizes, the government and industry both, that a simple piece of paper with a wet signature from a CEO is not going to change security overnight.”