New GSA requirement – attest to software safety
According to a recent GSA memo, software vendors will be required to ensure that only approved software is acquired and used by GSA. GSA plans to use a Cybersecurity and Infrastructure Security Agency form to collect the letters. The forms will be available in early June. (FEDSCOOP February 1, 2023)
The Cybersecurity and Infrastructure Security Agency (CISA), Chief Jen Easterly recently urged industry to take responsibility to ensure the safety of its products. The CISA Chief also recommended shareholders make sure c-suite executives are viewing cyber risk as a board-level issue. (ibid)
GSA is collecting the letters of attestation in an effort to implement a memo signed by the White House. The memo requires all federal agencies to verify that all distributed third-party IT software adheres to the National Institute of Standards and Technology (NIST) supply chain security requirements. (ibid)
The Federal Acquisition Council has under consideration, embedding the requirement for software providers to attest to the security of their products within the Federal Acquisition Regulation (FAR). (ibid)
According to the memo, “GSA’s acquisition regulations (GSAM 511.170(d)) require GSA’s Information Technology (IT) Office to approve new software before its use at GSA. To comply with Executive Order 14028 and OMB Memorandum M-22-18, which require federal agencies to only use software that complies with Government-specified secure software development practices, GSA IT will update its processes to approve software including requiring vendor attestations. GSA IT anticipates issuing an updated attestation process by June 12, 2023.” (Memorandum for the GSA Acquisition Workforce 1/11/23)
The memo also states, “Contractors providing GSA with a cloud-based solution are encouraged to work with the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP approval process will streamline the GSA IT Standards Process allowing for a timely contract start. GSA also anticipates that leveraging FedRAMP will ensure and streamline compliance with the requirements of OMB Memo M-22-18 in the future.” (ibid)
Have questions or need some guidance with your letter of attestation? Give us a call.