he General Services Administration say it hopes to share details of the updated certification process with tech companies by June 12, 2023.
The General Services Administration will begin collecting letters of attestation from software vendors it works with in mid-June, according to an acquisition memo.
The department will use a common form provided by the Cybersecurity and Infrastructure Security Agency to collect the letters, which it expects will be available before June.
Details on the implementation timeline for the new requirements come as federal contractors’ cybersecurity arrangements attract enhanced scrutiny.
Writing in an op-ed for Foreign Affairs on Wednesday, CISA Chief Jen Easterly called for industry to take greater responsibility for ensuring the safety of its products and said shareholders should ensure c-suite executives are viewing cyberrisk as a board-level issue.
By collecting the letters of attestation from vendors, GSA will work to implement a memo signed by the White House in September that requires federal agencies to ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements.
Requirements for software vendors working with government to attest to the safety of their products was also included in the Biden administration’s May 2021 cyber executive order.
“To comply with Executive Order 14028 and OMB Memorandum M-22-18,” the agency wrote, “GSA IT will update its processes to approve software including requiring vendor attestations.”
It added, “GSA IT anticipates issuing an updated attestation process by June 12, 2023.”
GSA will use a common form provided by the Cybersecurity and Infrastructure Security Agency (CISA) to collect the letters, which it expects will be available before June.