866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

FAQs on Executive Order 14028 and the CISA Secure Software Development Attestation Form Blog Feature

By: Schellman

Print/Save as PDF

FAQs on Executive Order 14028 and the CISA Secure Software Development Attestation Form

Federal Assessments

Now that the deadline for the CISA Secure Software Development form is quickly approaching, organizations are working to ensure they get their attestation in order—that includes FedRAMP Cloud Service Providers (CSPs).

Since the CISA form dropped, we’ve had an influx of questions from CSPs regarding their obligations to this new compliance threshold and the potential use of a third-party assessor to help. As an authority on FedRAMP that is up-to-speed on the recent federal developments, we’re offering our answers here.

What follows is a collection of queries we’ve received from current clients or prospects regarding Executive Order 14028 and the CISA Secure Software Development Attestation Form and our expert answers that should hopefully clarify a few key points.

What You Need to Know About the CISA Secure Software Development Attestation Form

Is the CISA Secure Software Development Attestation Form Required Even If My Cloud Service Offering (CSO) Has a FedRAMP Authorization? Is There Any Overlap in What’s Tested?

 

Yes, it’s required additionally/separately from your FedRAMP Authorization, and there’s minimal overlap between the FedRAMP and CISA attestation requirements, as each has its own focus:

  • FedRAMP assesses the security of federal data and metadata that’s stored, processed, or transmitted by the cloud service offering.
  • Meanwhile, secure software assessments assess pre-production build environments and overall software development lifecycles (SDLCs), which are typically excluded from the FedRAMP boundary—your secure software assessment may also affect any commercial software you are providing to the government that is not part of your FedRAMP CSO.

That being said, the FedRAMP Project Management Office (PMO) has indicated that it may yet publish updates related to the CISA Secure Software Development Attestation for FedRAMP-authorized CSOs, and if that happens, we’ll provide updates when and if those are published.

 

What are the Deadlines Associated with the CISA Secure Software Development Attestation Form?

 

  • For critical software: June 8, 2024
  • For non-critical software: September 8, 2024

In determining what is critical/non-critical, Office of Management and Budget (OMB) memorandum M-22-18 states that agencies are responsible for determining their critical and non-critical software—as defined in M-21-30—as well as communicating requirements to the organizations that produce them.

Moreover, per M-23-16, agencies are required to collect your attestation letters within 3 months for critical software and within 6 months for all other software from “PRA Approval” of the common form.

 

Do I Need to be Fully Compliant Before Submitting the Completed Form or Undergoing a 3PAO Assessment?

 

While you do not have to fully implement everything, there are some things software producers and their agency partners must do if not all requirements are met:

  • Software Producers: Must document the mitigating controls in place and submit a Plan of Action and Milestones (POA&M) to the agency/agencies they work with.
  • Agency Partners: Must submit the software producer’s POA&M to OMB, and while they may continue using the software in the meantime, they must also coordinate with OMB for an extension on the agency’s requirements outlined in the EO and subsequent M-22-18 and M-23-16.
 

Why Should We Have Schellman Do The 3PAO Assessment Instead of Just Completing The Self-Attestation?

 

We address this in more detail in our blog here but in short, the following are key advantages to be gained in working with a 3PAO like Schellman on your CISA Secure Software Development Form:

  • Independence: As a third-party assessor recognized by the government and a leading provider of FedRAMP and CMMC assessments, we can provide an objective evaluation of your software security.
  • Depth of Secure Software Knowledge: Our expertise in this area extends beyond the NIST SSDF standard to other related best practices from the PCI Secure Software Framework (SSF), NIST Cybersecurity Framework (CSF), OWASP, and more.
  • Efficient Methodology and Workflow: Through our AuditSource platform and our focused approach that we’ve refined over 20 years in operation, we streamline evidence collection and observation testing, thereby reducing the burden on your security, development, and operations teams while delivering a thorough assessment at the same time.
 

Do We Have to be Assessed Against the Full NIST Secure Software Development Framework (SSDF) to Sign the Form or Have a 3PAO Assessment?

 

Though you certainly can undergo a full SSDF assessment so that you can report to your customers—including government customers—in a more detailed manner on your secure software development practices and controls, no, you don’t have to undergo a full secure software development assessment from Schellman to satisfy the CISA Secure Software Development Attestation Form.

In fact, we’ve created three different assessment options you can choose from so that you can address your specific needs:

  1. Assessment against the CISA Form requirements only
    • You would receive a single deliverable addressing the CISA form and no SSDF controls.
  2. Assessment against the CISA requirements AND the related SSDF controls (limited scope SSDF):
    • You would receive two (2) deliverables – one addressing the CISA Form and one for the limited related SSDF controls assessed.
  3. Assessment against the CISA requirements AND the FULL SSDF controls (full scope SSDF):
    • You would receive two (2) deliverables – one addressing the CISA form and one for all SSDF controls assessed.
 

What Scoping Factors are Important in Performing a Secure Software Development Assessment?

 

While we have a more detailed list of scoping questions that we can discuss with you, one standard aspect to consider is the number of build environments and any control implementations that might be different across those environments—this will be highly variable to each organization, as you could have:

  • One or more build environments per product; or
  • A single build environment for all products; or
  • Another other combination of products and environments; or
  • Unique implementations or processes that differ between build environments.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.