Official US Government Icon

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure Site Icon

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Secure Software Development Attestation Form

Background

On May 12, 2021, the President issued Executive Order 14028 on Improving the Nation’s Cybersecurity (EO 14028). EO 14028 charged agencies with enhancing cybersecurity through a variety of initiatives including Enhancing Software Supply Chain Security.

On September 14, 2022, the Office of Management and Budget (OMB) issued the Memorandum for the Heads of Executive Departments and Agencies (M-22-18) requiring each Federal agency to comply with the NIST Guidance when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.

The term “software” for purposes of M-22-18 memorandum includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.

On June 9, 2023, OMB issued Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (M-23-16) which extended the timeline for collecting attestations and clarified the scope of M-22-18’s Requirements. 

Submitting your Secure Development Software Attestation

Download the Secure Development Software Attestation Common Form:

File Naming Convention:

  • If you are submitting a company-wide attestation, or an attestation for multiple products, do not include the product name or version number in your file name.

Submission:

  • Do not submit your Secure Development Attestation Form to the Cybersecurity and Infrastructure Security Agency (CISA) Repository for Software Attestations and Artifacts (RSAA) 
  • After the form is complete, submit it to softwareattest@dot.gov
  • If you received a request from the Federal Aviation Administration (FAA) please submit your attestation directly to the email address that they have provided.

References:

Contact softwareattest@dot.gov with questions.

Last updated: Friday, May 24, 2024