Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Tag: Cybersecurity and Infrastructure Security Agency

New GSA requirement – attest to software safety

According to a recent GSA memo, software vendors will be required to ensure that only approved software is acquired and used by GSA. GSA plans to use a Cybersecurity and Infrastructure Security Agency form to collect the letters. The forms will be available in early June. (FEDSCOOP February 1, 2023)

The Cybersecurity and Infrastructure Security Agency (CISA), Chief Jen Easterly recently urged industry to take responsibility to ensure the safety of its products. The CISA Chief also recommended shareholders make sure c-suite executives are viewing cyber risk as a board-level issue. (ibid)

GSA is collecting the letters of attestation in an effort to implement a memo signed by the White House. The memo requires all federal agencies to verify that all distributed third-party IT software adheres to the National Institute of Standards and Technology (NIST) supply chain security requirements. (ibid)

The Federal Acquisition Council has under consideration, embedding the requirement for software providers to attest to the security of their products within the Federal Acquisition Regulation (FAR). (ibid)

According to the memo, “GSA’s acquisition regulations (GSAM 511.170(d)) require GSA’s Information Technology (IT) Office to approve new software before its use at GSA. To comply with Executive Order 14028 and OMB Memorandum M-22-18, which require federal agencies to only use software that complies with Government-specified secure software development practices, GSA IT will update its processes to approve software including requiring vendor attestations. GSA IT anticipates issuing an updated attestation process by June 12, 2023.” (Memorandum for the GSA Acquisition Workforce 1/11/23)

The memo also states, “Contractors providing GSA with a cloud-based solution are encouraged to work with the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP approval process will streamline the GSA IT Standards Process allowing for a timely contract start. GSA also anticipates that leveraging FedRAMP will ensure and streamline compliance with the requirements of OMB Memo M-22-18 in the future.” (ibid)

Have questions or need some guidance with your letter of attestation? Give us a call.

Higher federal procurement standards for IT providers – Are you ready?

The White House is spearheading an interagency endeavor concentrating on software development that will determine federal procurement of information technology (IT). In the coming weeks, vendors can expect to see new IT security standards, governmentwide. This comes after many tech companies complained that the effort under the Trump administration limited the import of information and communications technology from “foreign adversaries.” While leaving the definition of the term “foreign adversary” up to the Commerce Secretary. In addition, the rule as it stands today is broad and raises concerns over due process.

The SolarWinds breach will ultimately raise the bar on vendor security, banning tech from many countries, not just China. It also focuses on vendors and the possibility of vulnerability disclosure policies that encourage reporting weaknesses in their products. Ultimately, vendors providing IT products and services to federal agencies must have the proper level of cybersecurity in place.

Cybersecurity and Infrastructure Security Agency Acting Director Brandon Wales said agencies are working together to ensure consistency in the government’s approach to supply chain security across the Commerce Department rule, an executive order aimed at removing foreign adversaries from the bulk power sector. Wales also said, “the administration is counting on higher federal procurement standards to elevate security across the private sector as well.”

Are your IT products compliant? Give us a call.