Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

Most people find compliance a big ol’ snoozefest. It consumes time and resources that could be better allocated elsewhere. The language that regulatory bodies use is so “lawyered!” as to be nearly incomprehensible. For developers, the recent requirements around secure software attestations that start bringing the President’s “Executive Order on Improving the Nation’s Cybersecurity” (EO) to life. 

To give you the TL;DR, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure Software Self-Attestation Form is the first step to establish the minimum requirements that software companies need to meet. 

How did we get to the Secure Software Self-Attestation Form?

To understand how we got to this point, you need a brief overview of what’s been going on in the past few years. A brief timeline of software security initiatives looks like this:

The Anatomy of the Secure Software Self-Attestation Form

Although the form clocks in at 10 pages, you can skip several less important sections with the following summary:

  • The Privacy Act Statement: outlines the history of the EO and OMB memorandum, purpose as discussed in those documents, use-case which is to comply with those documents, and a disclosure that this is a mandatory requirement
  • Purpose of the form: discusses the EO and OMB memorandums requirements for Federal agencies to make sure their software developers follow NIST’s SSDF and provide documentation