Software companies that sell to the US government face new hurdles when it comes to getting or keeping lucrative US government contracts: the need to verify CISA Attestation.
The CISA Attestation requires only a subset of NIST’s Secure Software Development Framework (SSDF) requirements to be implemented before an ISV can attest “in good faith” that they are aligned with the US government’s requirements. In brief, the CISA Attestation requirements include:
- Development Environment Security: developer desktops, code repositories, and CI/CD systems must be implemented with secure controls to ensure code is being developed, checked in/out, and built in a manner that minimizes risk.
- Software Supply Chain Security: implement controls to ensure the security and integrity of open source and other third-party software.
- Code and Artifact Provenance: create and maintain provenance in order to validate that software artifacts have been sourced and built securely.
- Vulnerability Remediation: identify, disclose, and remediate vulnerabilities in a timely manner depending on risk level.
In some cases, there are a number of best practices that you may already be employing which can help attest to your compliance with these requirements. In other cases, closing the gaps may need significantly more work to meet the requirement set by CISA. This white paper can help you understand and bridge the gaps, leading to compliance and a more secure software supply chain.
