866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

The CISA Secure Software Attestation –Why Use an External Assessor? Blog Feature
Douglas Barbin

By: Douglas Barbin

Print/Save as PDF

The CISA Secure Software Attestation –Why Use an External Assessor?

Federal Assessments

With the deadlines for the newly incorporated Cybersecurity Infrastructure and Security Agency (CISA) Secure Software Development Attestation Form looming, organizations supplying government-used software must get their ducks in a row to ensure compliance with these requirements.

In completing the CISA form, organizations can either self-attest or engage an accredited Third-Party Assessment Organization (3PAO) for assessment. As one of your 3PAO options, in this article, we’ll first discuss how things progressed to this pivotal point and why a 3PAO—specifically Schellman—may be your best option for compliance.

 

The Progression of Federal Software Security Concerns (How We Got to This Point)

 

What is Executive Order 14028?

This new requirement for government-used software first spawned back in May 2021, when President Biden published his Executive Order on Improving the Nation’s Cybersecurity (E0 14028)—an EO that took specific and significant aim to improve the security of federal IT systems as well as the private sector technology and software providers that support them.

To assist the relevant agencies and their private sector suppliers, Biden—within EO 14028—ordered the National Institute of Standards and Technology (NIST) to develop a framework to standardize the threshold for software security and secure software development.

 

What is the NIST Secure Software Development Framework?

Nearly a year later, NIST published its Special Publication (SP) 800-218, also known as its Secure Software Development Framework (SSDF) in February of 2022.

Designed to be readily adaptable to different development environments, technologies, and organizational structures, NIST’s SSDF aims to provide a structured approach to identifying, mitigating, and managing security risks associated with software applications. Through its holistic set of guidelines, best practices, and recommendations, the SSDF can assist software developers, architects, and security professionals with integrating measures to secure all phases of the software development lifecycle (SDLC).

NIST also published several other documents and guidance that could help organizations improve their software security, including:

 

Moreover,  the Office of Management and Budget (OMB) published two related memorandums that integrate EO 14028 and the SSDF to identify requirements for government agencies and software providers while also address definitions, actions, responsibilities, and timelines: 

  • M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” 
  • M-23-16: “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” 
  • M-21-30: “Protecting Critical Software Through Enhanced Security Measures (a bonus memorandum included for the definition of critical software)

What is the CISA Secure Software Attestation Form?

Also in President Biden’s EO 14028 was a new requirement for CISA to ensure software producers attest to the requirements through a new form that identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before software subject to the requirements of M-22-18 and M-23-16 may be used by Federal agencies.”

So, if you’re a software producer and want to provide products to the government for use, you should likely first implement elements of the NIST SSDF into your software development practices before attesting—through the CISA form—that the software you produce is developed in conformity with those guidelines, and you must complete that form by June 8th, 2024 if you produce critical software (though you have a few more months if you produce non-critical software, as that deadline for those products is September 8th, 2024). 

 

Self-Attestation vs. Using a 3PAO for Your CISA Secure Software Attestation

 

Given the incredibly quick turnaround at this point—the date of this blog is May 13, 2024—the good news is that you have the option to self-attest—meaning, you can have a chief executive of your organization or a chosen delegate sign the form.

Alternatively, you can engage an accredited 3PAO to assess of your software security before issuing a formal report that you can attach to the CISA self-attestation in lieu of having your CEO sign it.

While you may be thinking that bringing in a 3PAO would just eat up valuable time, first let us just say that even if you weren’t able to have an assessment completed before June 8th (or September 8th), a letter confirming your engagement and intent to undergo one would suffice for CISA.

You might also be thinking that it’d be much easier to just sign the form rather than having to deal with an entire audit process but consider that using a 3PAO for your CISA Secure Software Attestation would benefit your company beyond satisfying a new federal requirement. Independent validation of your security measures would provide further assurance to your customers—including federal government agencies—that they can trust your software

 

Why Schellman for Your CISA Secure Software Attestation

 

While you do have other options, being a 3PAO ourselves, we at Schellman have already been engaged by several clients—including those for whom we perform FedRAMP assessments—to conduct this type of review, and we might also be the right partner for you due to our:

 

  • Independence: As a third-party assessor recognized by the government and a leading provider of FedRAMP and CMMC assessments, we provide an objective evaluation of your software security.
  • Depth of Secure Software Knowledge: Our expertise in this area extends beyond the NIST SSDF standard to other related best practices from the PCI Secure Software Framework (SSF), NIST Cybersecurity Framework (CSF), OWASP, and more.
  • Efficient Methodology and Workflow: Through our AuditSource platform and our focused approach that we’ve refined over 20 years in operation, we streamline evidence collection and observation testing, thereby reducing the burden on your security, development, and operations teams.

In performing software security assessments, we use a systematic approach to evaluate software production, examining controls at the enterprise, build environment, and product layers as part of a process that includes the following stages: 

 

Scoping

First, we’ll identify the critical (and non-critical) applications.

In many cases, your customers will have already relayed what is critical or not critical but either way, we’ll review your full catalog of products to understand their respective criticality and use-case within the federal government. 

Enterprise Controls Review

As software security begins at the enterprise level, we’ll then review and evaluate your policies, procedures, change control processes, quality assurance, and developer training.

Build Environment Testing

When assessing your build environment—where your software is developed, tested, approved, and deployed, we’ll interview build environment personnel and review documentation and technical evidence to validate the security of the code as well as the processes used to develop, test, and deploy it. Items tested will include: 

· Environment segregation

· Logging

· Multifactor authentication

· Encryption

· Software testing and scanning 

· Software supply chain

· Vulnerability and flaw management 

(NOTE: For small businesses, there may be only one build environment, but larger organizations could have distributed teams of engineers and testers.)

Product Specific
Testing

If you only produce a single product—or a single subset of products—we’ll example the product and the supporting evidence showing that the security controls were in place as defined by enterprise and build environment controls. 

Reporting and Feedback

Finally, we’ll provide you with an independently assessed report to submit to CISA—our deliverable will also contain identified opportunities for improvement of your adherence to the broader NIST 800-218 standard, as well as our feedback regarding best practices overall.

 

Getting Started in Meeting the CISA Secure Software Deadline

Whether you engage us as your 3PAO to attest to your security or not, if you produce software for government use, you’ll need to complete the CISA form—and soon.

But if you are interested in learning more about partnering with us in meeting the CISA mandate, contact us today so that we can discuss further how that engagement would progress, as well as how to enhance your software security overall.

About Douglas Barbin

As Chief Growth Officer and firmwide Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.