How to Meet the 2024 Deadline for the CISA Secure Software Attestation
In May of 2021, President Biden issued his Executive Order on Improving the Nation’s Cybersecurity (E0 14028), an EO that took specific and significant aim at federal IT systems as well as the private sector technology and software providers that support it.
With the September deadline for non-critical software just around the corner, it's crucial to start the compliance process as soon as possible. Beginning the process early not only ensures that you’re on track to meet the deadline, but it can also lessen the severity of potential repercussions if you’re not fully compliant by the due date. Regulatory bodies may view your proactive efforts more favorably if you've started the process and demonstrated a commitment to improving your security measures.
If you’re a private company and software provider, upon review of the EO, your primary focus was likely on section 4 and the content regarding software supply chain security. You likely made certain moves to try and improve yours even as the threat landscape has continued to change and different solutions to help have emerged.
Fast forward to now, in 2024, NIST’s SP 800-218 Secure Software Development Framework (SSDF) has been published and the related CISA self-attestation form that companies are required to fill out attesting to their compliance has been finalized. The form must be signed by either the CEO, someone she or he designates, or an accredited 3rd Party Assessment Organization (3PAO) like Schellman.
That means that, per the Order, companies that develop critical software have now 90 days to comply with the SSDF and fill out the CISA form (with a deadline of June 8, 2024) while those who create non-critical software have six months (and a deadline of September 8, 2024).
With these deadlines looming, companies attesting to software development security will need experienced experts like Schellman to review your practices and ensure that you meet the requirements of the NIST SSDF, and our NIST-based Software Security Assessment service has the potential to be exactly what you need.
In this article, we’ll explain how.
EO 14028 and Your Software Security
First, let’s recap how we arrived at this point—it began with the issuing of Executive Order 14028 “Improving the Nation’s Cybersecurity” on May 12, 2021, which contained the following sections:
- Policy
- Removing Barriers to Sharing Threat Information
- Modernizing Federal Cybersecurity
- Enhancing Software Supply Chain Security*
- Establishing a Cyber Safety Review Board
- Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Improving the Federal Government’s Investigative and Remediation Capabilities
- National Security Systems
- Definitions
* As we mentioned before, for software developers, the most applicable portion of the requirements are within section 4: Enhancing Software Supply Chain Security.
The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.
– Sec. 4. Enhancing Software Supply Chain Security of Executive Order 14028
In tandem with the issuing of this EO, NIST was instructed to develop standards for software security and secure software development as relevant to Section 4—these were subsequently published in February of 2022 as SP 800-218 Secure Software Development Framework.
Per further instructions within the EO, NIST also published several other documents and guidance, including Security Measures for “EO-Critical Software” Use and the overarching NIST Security Software Framework.
Meanwhile, the order also required that the Cybersecurity Infrastructure and Security Agency (CISA) ensure software producers self-attest to the requirements. Now that the form has been finalized, it remains based on the NIST SSDF.
That being said, one key thing has changed on the CISA self-attestation form. While the draft form asked that your CEO or COO sign attesting to compliance with the SSDF—which could be further supplemented by a report from a FedRAMP 3PAO—the finalized form now allows the option for the company executive OR the 3PAO to sign off on compliance. (Despite that change, given the extensive focus put on executive responsibility for cybersecurity and reporting, many Schellman clients have opted for the 3PAO assessment and attestation.)
What is Schellman’s NIST Software Security Assessment?
With the form finalized and urgent deadlines for compliance with the SSDF now in place, you may be seeking more specialized assistance in complying with these new requirements, considering the complexity of software security.
Schellman leverages our cybersecurity expertise and combines it with our customized methodology to yield what we now offer what we call our Software Security Assessment (S3A) Service. Using the reporting structure provided by CISA, Schellman—as one of the first authorized FedRAMP 3PAOs—can assess the controls and provide a complementary report alongside your attestation form.
Specifically designed to address the intricacies of software security, our approach during an S3A starts with our testing of your implementation of the minimum attestation requirements as outlined in EO 14028 subsection (4)(e), CISA Attestation form requirements, and the broader requirements of NIST 800-218.
From a scoping perspective, a software security assessment includes testing of controls at the enterprise (central), build environment, and product levels. Most of the substantive testing occurs at the build environment level, in other words, the teams, processes, and technologies used to develop, test, and deploy the software. As a result, an assessment scope will be more aligned with the number of build environments than the number of products.
We test against the specific requirements as outlined in the NIST SSDF. Areas of review include but are not limited to:
- Software development lifecycle (SDLC) processes
- Basic secure code development training capabilities for engineering personnel
- Secure code testing practices
- Source code security
- Separation of duties
- Security and authentication of source code
- Use of static and dynamic testing
- Review of advanced secure coding and testing capabilities for engineering personnel
- Review of Software Bills of Material (SBOM)
Once our evaluation is complete, we compile the results into a compliance report that is specifically tailored to supplement the requirements of the CISA Secure Software Development Attestation Form with a focus on the control alignment of your software practices with the NIST SSDF. Additionally, we provided internal management findings and observations for additional controls which may be best practice but not mandated.
With this approach, you can be confident in the attestation that is provided to CISA and the associated assurance to your customers.
Other Considerations for Your Software Security
Since arriving in office, President Biden and his administration have taken an active approach to improving the nation’s cybersecurity, including an unveiling of an entirely new strategy. Executive Order 14028 represents another branch of this new emphasis, and compliance with the new standards surrounding the Order’s software security components will be required quickly—as soon as June or September 2024.
At Schellman, we believe that prioritizing software security and compliance is essential for protecting your organization and its customers. We’re committed to helping you navigate this new journey with confidence to the achievement of your software security goals, and that’s why we created our new S3A service that can help any organization more easily comply.
Now that you understand a little more about it, you can take more informed steps for your organization when moving forward toward compliance, but we understand if you have further questions. If you’re interested in learning more about our new service, we encourage you to reach out to us so we can address any concerns you may have and help you better determine if this is the right step for you.
About Douglas Barbin
As President and National Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.