[Federal Register Volume 88, Number 220 (Thursday, November 16, 2023)]
[Notices]
[Pages 78759-78761]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-25251]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2023-0001]


Agency Information Collection Activities: Request for Comment on 
Secure Software Development Attestation Common Form

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: 30-Day notice and request for comments.

-----------------------------------------------------------------------

SUMMARY: The Cyber Supply Chain Risk Management (C-SCRM) Program 
Management Office (PMO) within Cybersecurity and Infrastructure 
Security Agency (CISA) will submit the following information collection 
request (ICR) to the Office of Management and Budget (OMB) for review 
and clearance. CISA previously published this information collection 
request (ICR) in the Federal Register on April 27, 2023, for a 60-day 
public comment period. 110 comments were received by CISA. The purpose 
of this notice is to allow additional 30-days for public comments.

DATES: Comments are encouraged and will be accepted until December 18, 
2023.

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent to www.reginfo.gov/public/do/PRAMain. Find this information collection by selecting ``Currently 
under Review--Open for Public Comments'' or by using the search 
function.
    The Office of Management and Budget is particularly interested in 
comments which:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submissions of responses.

[[Page 78760]]

    This process is conducted in accordance with 5 CFR 1320.10.

FOR FURTHER INFORMATION CONTACT: Shon Lyublanovits, 888-282-0870, 
[email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    In response to incidents such as the Colonial Pipeline and Solar 
Winds attacks, on May 12, 2021, President Biden signed Executive Order 
14028 \1\ on Improving the Nation's Cybersecurity. This order outlines 
over 55 actions \2\ federal agencies need to take to improve 
cybersecurity. These actions range from developing strategies for 
critical software use to directly removing certain software products 
that do not comply with revamped standards. The objective of the 
executive order is to bolster the cybersecurity of federal systems. 
This Executive order addresses seven key points:
---------------------------------------------------------------------------

    \1\ https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
    \2\ https://www.natlawreview.com/article/2021-cybersecurity-recap-government-contractors-and-what-to-expect-2022-part-1-4.

 Remove barriers to cyber threat information sharing between 
government and the private sector
 Modernize and implement more robust cybersecurity standards in 
the Federal Government
 Improve software supply chain security
 Establish a Cybersecurity Safety Review Board
 Create a standard playbook for responding to cyber incidents
 Improve detection of cybersecurity incidents on Federal 
Government networks
 Improve investigative and remediation capabilities

    Section 4 of the E.O. observed, ``The development of commercial 
software often lacks transparency, sufficient focus on the stability of 
the software to resist attack, and adequate controls to prevent 
tampering by malicious actors.'' To address these concerns, the 
Executive Order required the National Institute of Standards and 
Technology (NIST) to issue guidance including standards, procedures, or 
criteria to strengthen the security of the software supply chain.
    To put this guidance into practice, the Executive Order, through 
the Office of Management and Budget (OMB), requires agencies to only 
use software provided by software producers who can attest to complying 
with Federal Government-specified secure software development 
practices, as described in NIST Special Publication (SP) 800-218 Secure 
Software Development Framework.\3\ OMB implemented this requirement 
through OMB memorandum M-22-18 dated September 14, 2022.\4\ 
Specifically, M-22-18 requires agencies to ``obtain a self-attestation 
from the software producer before using the software.'' (Enhancing the 
Security of the Software Supply Chain through Secure Software 
Development Practices, Page 6, Sep. 14, 2022)
---------------------------------------------------------------------------

    \3\ https://doi.org/10.6028/NIST.SP.800-218.
    \4\ https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf.
---------------------------------------------------------------------------

    A copy of the current draft of the self attestation form is 
available at https://www.cisa.gov/resources-tools/resources/secure-software-self-attestation-common-form.
    On June 9, 2023, OMB subsequently updated M-22-18 with M-23-16, 
``Update to Memorandum M-22-18, Enhancing the Security of the Software 
Supply Chain through Secure Software Development Practices.'' M-23-16 
states that ``Agencies must collect attestations for critical software 
subject to the requirements of M-22-18 and this memorandum no later 
than three months after the M-22-18 attestation common form released by 
the Cybersecurity and Infrastructure Security Agency (CISA) 
(hereinafter `common form') is approved by OMB under the Paperwork 
Reduction Act (PRA). Six months after the common form's PRA approval by 
OMB, agencies must collect attestations for all software subject to the 
requirements delineated in M-22-18, as amended by this memorandum.'' 
(Update to Memorandum M-22-18, Enhancing the Security of the Software 
Supply Chain through Secure Software Development Practices, page 2, 
June 9, 2023) Per M-22-18, as amended by M-23-16, this requirement 
applies to agencies' use of software developed after the effective date 
of M-22-18 (Sep. 14, 2022), as well as use of existing software that is 
modified by major version changes after the effective date of M-22-18 
(September 14, 2022). CISA's common self-attestation form does not 
preclude agencies from adding agency-specific requirements to the 
minimum requirements in CISA's common self-attestation form. However, 
any agency specific attestation requirements, modification and/or 
supplementation of these common forms will require clearance by OMB/
OIRA under the PRA process and are not covered by this notice.

II. Responses

    CISA received 110 comments in response to the 60-day public notice 
for the secure software self-attestation common form which concluded 
the 26th of June 2023. Comments can be found at regulations.gov under 
docket number CISA-2023-0001.\5\ Summaries of the comments and CISA 
responses can be found at: www.reginfo.gov/public/do/PRAMain. Find this 
information collection by selecting ``Currently under Review--Open for 
Public Comments'' or by using the search function. As result of public 
comment, CISA has changed the draft self attestation common form 
described in the 60-day notice in the following manner:
---------------------------------------------------------------------------

    \5\ https://www.federalregister.gov/documents/2023/04/27/2023-08823/agency-information-collection-activities-request-for-comment-on-secure-software-development.
---------------------------------------------------------------------------

     Added the citations to the appropriate NIST Guidance under 
``What is the Purpose of Filling out this form'' to now read: ``to 
issue guidance ``identifying practices that enhance the security of the 
software supply chain.'' The NIST Secure Software Development Framework 
(SSDF), SP 800-218, and the NIST Software Supply Chain Security 
Guidance (these two documents, taken together, are hereinafter referred 
to as ``NIST Guidance'') include a set of practices that create the 
foundation for developing secure software.'' ''
     Included references to M-23-16 throughout.
     Under ``What is the Purpose of Filling out this Form?'' 
edited the ``and'' to ``or'' in the list of software that requires 
self-attestation.
     Edited the software products and components that are not 
in scope for M-22-18, as amended by M-23-16, and do not require self 
attestation to now read:
    1. ``Software developed by Federal agencies;
    2. Open source software that is freely and directly obtained by a 
federal agency; or
    3. Software that is freely obtained and publicly available.''
    This aligns with M-23-16. This changes is also reflected in the 
Form on page 8.
     Under ``Filling Out the Form,'' added ``When the software 
producer chooses to verify conformance with the minimum requirements by 
a certified FedRAMP Third Party Assessor Organization (3PAO) or other 
3PAO approved in writing by an appropriate agency official, the 
software producer must attach the assessment in lieu of a signed 
attestation. The 3PAO must use relevant NIST Guidance, which

[[Page 78761]]

includes all elements outlined in this form, as part of the assessment 
baseline. To rely upon a third-party assessment, the software producer 
must check the appropriate box in Section III and attach the assessment 
to the form. The producer need not sign the form in this instance.''
     Modified language under ``Additional Information'' to 
clarify that an agency may still use the producer's software if the 
producer identifies the practices to which they cannot attest, 
documents practices they have in place to mitigate associated risks, 
and submits a plan of actions and milestones (POA&M) to the agency.
     Added additional language (in italics) under ``Additional 
Information'' to include: ``Software producers may be asked by agencies 
to provide additional attestation artifacts or documentation, such as a 
Software Bill of Materials (SBOMs) or documentation from a certified 
FedRAMP third party assessor organization (3PAO) or other 3PAO approved 
in writing by an appropriate agency official.''
     Under ``Additional Information,'' removed ``If the 
relevant software has been verified by a certified FedRAMP third party 
assessor organization (3PAO) or other 3PAO approved in writing by an 
appropriate agency official, and the assessor used relevant NIST 
guidance, the software producer does not need to submit a signed 
attestation. However, relevant documentation from the 3PAO is 
required.''
     Moved the minimum attestation reference to the appendix.
     Added ``Version 1.0'' to the form.
     Added ``Revised Attestation'' in the case of necessary 
corrections or edits.
     In Section I, on page 8, added that additional pages can 
be attached to the attestation if more lines are needed to 
appropriately list all relevant products.
     Removed Product Line from Type of Attestation due to 
confusion. Product line presents problem such as when a new product is 
added. Also removed ``product line'' in the file name structure example 
on page 3.
     Modified the language on page 8 to now read: ``Note: In 
signing this attestation, software producers are attesting to adhering 
to the secure software development practices outlined in Section III.'' 
This clarifies the practices to which software producers are attesting.
     Removed First Name, Last Name and modified to just Name.
     Under Requirement #2 in Section III, modified to remove 
redundancies and now reads: ``The software producer has made a good-
faith effort to maintain trusted source code supply chains by employing 
automated tools or comparable processes to address the security of 
internal code and third-party components and manage related 
vulnerabilities.'' This modification is also reflected in the reference 
table in the appendix.
     Removed duplicative requirement previously listed under 
3). This modification is also reflected in the reference table in the 
appendix.
     Modified minimum requirement regarding provenance to now 
read: ``The software producer maintains provenance for internal code 
and third-party components incorporated into the software.'' This 
modification is also reflected in the reference table in the appendix.
     Modified minimum requirement regarding security 
vulnerabilities to now read:
    [cir] ``(4) The software producer employs automated tools or 
comparable processes that check for security vulnerabilities. In 
addition:
    (a) The software producer operates these processes on an ongoing 
basis and, at a minimum, prior to product, version, or update releases;
    (b) The software producer has a policy or process to address 
discovered security vulnerabilities prior to product release; and
    (c) The software producer operates a vulnerability disclosure 
program and accepts, reviews, and addresses disclosed software 
vulnerabilities in a timely fashion and according to any timelines 
specified in the vulnerability disclosure program or applicable 
policies.''
    A redundant ``and'' was removed under section 4(a). These 
modifications are also reflected in the reference table in the 
appendix.
     Added ``To the best of my knowledge'' after ``I attest'' 
in both instances in the attestation section (Section III).
     Modified signature line to clarify signature of CEO or COO 
is acceptable; it now reads: ``Signature of CEO or COO and Date (YYYY-
MM-DD).'' This modification is also reflected in the instructions on 
page 3.
     Added ``OR'' between CEO signature and 3PAO certification 
option and modified ``I attest that the referenced software has been 
verified by a certified FedRAMP Third Party Assessor Organization 
(3PAO) or other 3PAO approved in writing by an appropriate agency 
official has evaluated our conformance to all elements in this form'' 
to ``A certified FedRAMP Third Party Assessor Organization (3PAO) or 
other 3PAO approved in writing by an appropriate agency official has 
evaluated our conformance to all elements in this form. The 3PAO used 
relevant NIST Guidance, which includes all elements outlined in this 
form, as the assessment baseline. The assessment is attached.''
     Under Attachment(s) removed: ``Please check the 
appropriate boxes below, if applicable: There are addendums and/or 
artifacts attached to this self-attestation form, the title and 
contents of which are delineated below the signature line. I attest the 
referenced software has been verified by a certified FedRAMP Third 
Party Assessor Organization (3PAO) or other 3PAO approved in writing by 
an appropriate agency official, and the Assessor used relevant NIST 
Guidance, which includes all elements outlined in this form, as the 
assessment baseline. Relevant documentation is attached.''
     Removed ``Title of Individual signing on behalf of the 
organization.''

Analysis

    Agency: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).
    Title: Secure Software Development Attestation.
    OMB Number: 1670-NEW.
    Frequency: Annually.
    Affected Public: Business-Software Producers.
    Estimated Number of Respondents per Initial Submission: 16,688.
    Estimated Number of Respondents per Resubmission: 8,344.
    Estimated Number of Responses per Respondent per Initial 
Submission: 3.
    Estimated Number of Responses per Respondent per Resubmission: 1.
    Estimated Time for Initial Submission per Respondent: 3 hours and 
20 minutes.
    Estimated Time for Resubmission per Respondent: 1 hour and 50 
minutes.
    Total Annualized Hours for Initial Submission: 83,432 hours.
    Total Annualized Hours for Resubmission: 7,647 hours.
    Estimated Number of Respondents per POA&M Development: 14,105.
    Estimated Number of Responses per Respondent per POA&M Development: 
1.
    Estimated Time for POA&M Development per Respondent: 6 Hours.
    Total Annualized Hours for POA&M Development: 84,630 hours.
    Estimated Cost to Public: $13,264,954.

Robert J. Costello,
Chief Information Officer, Department of Homeland Security, 
Cybersecurity and Infrastructure Security Agency.
[FR Doc. 2023-25251 Filed 11-15-23; 8:45 am]
BILLING CODE 9110-9P-P