The Cybersecurity Coalition submitted comments to the Cybersecurity & Infrastructure Security Agency’s (CISA) second Request for Comment on its Secure Software Development Attestation Common Form. Once approved, Federal Agencies will use the Form to confirm that the software producers they contract with use secure software development practices.

The Office of Management and Budget (OMB) directed CISA to create the Form to satisfy a requirement in the May 2021 Executive Order on Improving the Nation’s Cybersecurity (E.O. 14028). CISA released its first draft of the Form in April 2023, on which the Coalition submitted comments in June 2023.

Our comments on the second draft focus on six key concerns, some of which we raised in our June 2023 comments:

Clarify Provenance Definition

In the current draft, the Form requires software producers to maintain “provenance for internal code and third-party components incorporated into the software,” but does not provide a definition of “provenance.” To address this issue, the Coalition recommends CISA clarify that maintaining “provenance” means, “if the software producer uses a third-party library (proprietary or open-source components), they will need to keep information about attributes of the acquired library in addition to when and where it was retrieved.” The Coalition also urges CISA to revise the Form to require software producers to make a “good-faith effort” to maintain provenance data.

 Provide CEO Authority to Delegate Signature of the Form

The Coalition opposes the requirement for either a Chief Executive Officer (CEO) or Chief Operating Officer (COO) to sign the Form. We argue that this requirement would pose an undue burden, especially to larger software producers that will likely need numerous Forms to cover all products sold to the government. Therefore, the Coalition recommends that CISA allow CEOs to identify appropriate designees to sign the form on behalf of their organization.

 Requirement to Notify Impacted Agencies of Changes to the Form

 The Coalition believes that the Form’s requirement to notify “all impacted” agencies of changes to their self-attestation is not feasible. Government agencies may use the software producer’s products to provide information or shared services to other agencies without the software producer’s knowledge. Therefore, the Coalition believes that software producers should only be required to inform agencies with whom they have a contractual relationship for the software of any changes to the self-attestation.

 Consistency of Attestation Requirements

 In the current draft, the Form requires the software producer to attest to “making a good faith-effort” to have some practices and to “maintaining” other practices. The Coalition suggests standardizing this language in the Form to say the software producer “takes reasonable steps to consistently maintain and satisfy the following” practices.

 Establish More Realistic Burden Estimates

 The Coalition believes that the Form’s “Burden Statement” minimizes the impact that the self-attestation process will have on software producers. While CISA suggests that software producers will take 3 hours and 20 minutes to complete the Form, the Coalition believes they will likely need between 200 and 1,000 hours per product.

Address PDF Naming Conventions

To increase clarity, the Coalition recommends that CISA change the naming conventions for PDF submissions of the Form.