Office of Management and Budget Guidance requires that federal agencies only use software that complies with government-specified secure software development practices. Agencies comply by requiring software producers to complete a form attesting the software conforms to National Institute of Science and Technology (NIST) guidance. These self-attestation forms may be posted publicly by software producers but, if not publicly available, are uploaded to a Cybersecurity & Infrastructure Security Agency (CISA) repository that agencies can access.
Ordering activities should review attestation forms posted publicly or previously-submitted to the CISA repository or add newly-submitted forms to the CISA repository. If a software producer cannot attest to one or more practices as required by the form, the ordering activity must require the software producer to submit a POA&M (Plan of Action & Milestones) and must review the POA&M before using the software.
What Does This Mean For You?