White House fleshes out plan for agencies to collect software vendor attestation forms

Federal agencies will have additional time to collect attestation forms from software vendors and will not be required to collect documentation for open-source software they use, according to new guidance from the White House.

In a memo issued Friday, first obtained by FedScoop, the Office of Management and Budget clarified details about how agencies will be required to collect cybersecurity attestations from software providers whose services they use.

According to the new guidance:

• Agencies will have more time to collect letters of attestation
• Letters of attestation will not be required for open-source software
• Agency chief information officers will have discretion over whether software is considered “agency-developed”
• Companies unable to immediately provide letters will be able to submit a “plan of action and milestones” 

The memo comes as the Biden administration works to strengthen the cybersecurity of commercial technology products used in government, and after it last year announced that agencies would have to collect letters from software vendors confirming their products adhere to NIST standards.

Today’s memo extends the amount of time U.S. federal agencies have to collect letters of attestation for critical software until three months after an attestation common form is approved by the Office of Management and Budget. For non-critical software, this timeline is six months after the attestation form is approved.

The guidance clarifies that a finalized version of the common form, which is being drafted by the Cybersecurity and Infrastructure Agency, has yet to be approved by the Office of Management and Budget. A draft version of the form was published in late April, which industry vendors have until June 26 to comment on. A senior official told FedScoop that OMB would “work fast” to approve the final version of the form once the industry comment period closes.

In addition, the memo clarifies that government agencies will not be required to collect letters of attestation for open-source software – even when software is proprietary but made publicly available by a company.

The missive said: “A significant number of core software applications, such as web browsers, to which Federal agencies must have access are offered for use to members of the public at no cost. Users of this software have no opportunity to negotiate with the producer, and therefore it will not be feasible for agencies to obtain attestations from the producers of such software.”

Open-source software is excluded from the attestation requirements because users of this software have no opportunity to negotiate with the producer, and it therefore would not be feasible for agencies to obtain attestations from the producers of such software.

A senior official speaking with FedScoop said this provision could be especially beneficial for smaller federal agencies where the need to use standalone, open-source tools such as a PDF reader is acute.

Despite the exclusion of open-source software, government agencies are still required to assess the risk of utilizing such software and take appropriate steps to mitigate risks, according to the memo.

Furthermore, the new memo designates agency chief information officers as the officials responsible for deciding whether software developed by federal contractors should be considered “agency-developed.”

The “agency-developed” designation matters because such software, even when developed under a federal contract, is out of the scope of attestation collection requirements.

According to the memo: “If there are questions regarding whether software developed by Federal contractors should be considered agency-developed, agency CIOs are required to make that determination on behalf of the agency.”

Furthermore, the new memo clarifies that software manufacturers unable to immediately attest to one or more practices identified in the attestation form will be able to provide agencies with a Plan of Action and Milestones (POA&M) document.

This will allow government departments to continue working with software producers who do not yet meet minimum requirements identified in the common form but plan to do so.

“[T]he producer of a given software application must identify the practices to which they cannot attest, document practices they have in place to mitigate associated risks, and submit a POA&M to an agency,” OMB said in the document.

It added: “If the agency finds the documentation satisfactory, it may continue using the software, but must concurrently seek an extension of the deadline for attestation from OMB. Extension requests submitted to OMB must include a copy of the software producer’s POA&M.”

Further instructions on the format and process that software manufacturers must follow for extension and waiver requests will be issued on the federal collaboration website MAX.gov. 

OMB will also begin collecting metrics on the number of products in use at each agency that do not meet minimum secure software requirements within one year.