Enhancing Software Development Security Measures at the White House
The Biden administration has approved a secure software development attestation form, which is aimed at improving the robustness of enforcement mechanisms in the software supply chain. This move is part of a years-long effort to secure the nation's software supply chain, following high-profile cyberattacks such as the one attributed to state-linked threat actor Nobelium, which led to compromises in SolarWinds customer environments.
The form, developed after seeking extensive industry input, calls for companies working with federal agencies to comply with minimum standards for secure software development practices. Among the secure practices included in the guidelines are separation of production and development environments, use of multifactor authentication, regular logging and monitoring, and the implementation of security controls during software development and delivery phases.
In line with the Biden administration's focus on process-based security rather than absolute assurance that software products are free from vulnerabilities, the attestation form does not require mandatory centralized reporting. However, it does expect companies to document and attest to their adherence to these secure development practices.
The form is designed to ensure software producers working with the U.S. government comply with standards for secure development. Failure to provide the requested information on the form could lead to the agency no longer using that software. A willfully false or misleading disclosure on the form could violate criminal statutes.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget released the form on Monday, with Chris DeRusha and Eric Goldstein, officials from the CISA, releasing a blog post about the form on the same day.
Although initial requirements called for contractors to submit attestations demonstrating compliance to the CISA and to amend the Federal Acquisition Regulation (FAR) accordingly, recent actions under EO 14306 have struck these mandatory submission and contract language requirements from the regulatory framework. Nevertheless, government contractors remain obligated to comply with secure software development requirements included in their contracts.
The Biden administration's framework also aligns with broader goals of improving federal cybersecurity posture and integrating modern software security controls across government systems. By December 1, 2025, the administration aims to publish a preliminary update to NIST SP 800-218 (Secure Software Development Framework) that includes practices, procedures, and examples of secure development and delivery of software. The final updated version of the SSDF is expected by March 31, 2026. Additionally, a consortium at the National Cybersecurity Center of Excellence is to be established by August 1, 2025, to develop guidance for implementing these practices.
Attestation is now a hard requirement that will be enforced during the procurement or renewal process. This attestation process is expected to force systemic changes among software suppliers currently or looking to sell to the federal government, thus bolstering the nation's cybersecurity posture.
- The attestation form, developed by the Biden administration, emphasizes that companies working with federal agencies must comply with minimum standards for secure software development practices, such as the use of multifactor authentication, regular logging and monitoring, and implementing security controls during development and delivery phases.
- The attestation process, a hard requirement in the procurement or renewal process, is designed to encourage systemic changes among software suppliers, thereby bolstering the nation's cybersecurity posture through the implementation of secure development practices, like separation of production and development environments and the adoption of modern software security controls.
