With the White House Executive Order 14028 and subsequent Office of Management and Budget (OMB) Memorandums - M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” and M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” - there are explicit requirements for organizations providing software for use in the federal government.
It is important to note that organizations have the option to self-attest—meaning, you can have a chief executive of your organization or a chosen delegate sign the form.
Alternatively, you can engage an accredited 3PAO to assess of your software security before issuing a formal report that you can attach to the CISA self-attestation in lieu of having your CEO sign it.
The deadlines for providing self-attestations or 3PAO assessment reports demonstrating compliance are rapidly approaching. Read more on these deadlines and requirements here.
As a FedRAMP 3PAO, Schellman is uniquely experienced to provide third-party assessment for organizations seeking to meet the requirements in the CISA Secure Software Development Attestation Form.
Given its systematic approach to identifying, assessing, and managing cybersecurity risks in software, this assessment can help you improve your development processes, reduce the most common risk and attack vectors, and improve your overall cybersecurity posture.
So many different compliance standards address software security in some way—because we can tailor our S3A assessment to your needs, the process could help you get started in more broadly addressing your other requirements.
Having an S3A report in hand will communicate your commitment to security to potential insurers, who may then be enticed to reduce your premiums.
Our assessment deliverables will provide your customers, partners, and stakeholders with independent validation of your cybersecurity posture—helping both you and them to rest easier.
S3A Foundational*
Includes core evaluation of your:
S3A Intermediate
Includes an evaluation of your foundational controls plus a review of:
S3A Comprehensive
Includes an assessment of your software practices against the full NIST Secure Software Development Framework and the 3PAO reporting needed to satisfy the CISA Secure Software Development Attestation Form.
Joe O'Donnell is a Manager with Schellman mainly dedicated to the PCI and PCI specialty service lines. Before focusing his career on IT auditing services, Joe worked as an Enterprise Operations Computing Analyst where he gained experience in IT systems analysis and data center operations.
First, we’ll work together to identify any in-scope lines of business, systems, and platforms, shared services applications, and component applications, as well as any specifics regarding your data handled and other significant processes. In addition, we will identify any existing standards that you need to meet.
As we map your security controls to the framework subcategories, we’ll begin with a select number of control areas and range upwards to a full NIST Secure Software Development Framework assessment.
For each identified subcategory you include, we’ll review documentation and technical evidence and perform testing to determine whether or not these objectives have been met.
Wherever we note where you did not meet control requirements—or where you have opportunities to improve security and development flow—you’ll develop, document, and implement remediation plans before we review your updates and perform retesting.
We’ll provide a final and detailed analysis of the framework as well as our findings and recommendations for improving your software security and achieving compliance with relevant regulations and standards.
*You can also request an external-facing report documenting the scope, activities, and high-level findings related to the assessment.
In addition, Schellman will prepare the attestations and required documentation for reporting agencies and aid in submitting documentation.