Does your MAS software contract comply?
The Office of Management and Budget (OMB) requires federal agencies to use only software that meets government-specified secure development practices. To comply, agencies require software producers to complete a form attesting that their software follows National Institute of Science and Technology (NIST) guidelines. These self-attestation forms may be publicly posted by software producers, or, if not, uploaded to a Cybersecurity & Infrastructure Security Agency (CISA) repository accessible by agencies. (buy.gsa.gov August 27, 2024)
Ordering activities should review publicly posted attestation forms, those already in the CISA repository, or add new forms to the repository. If a software producer cannot attest to all required practices, the ordering activity must require them to submit a Plan of Action & Milestones (POA&M) and review it before using the software. (ibid)
What Does This Mean For You?
- MAS contractors without software on their MAS contract need not take any action.
- MAS contractors with awarded software:
- If the software producer has already posted or provided a form to the CISA repository, they don’t need to submit it again for the same software version.
- If not, the software producer or MAS contractor must upload a completed form to the CISA repository. If the producer cannot attest to all practices, the ordering activity will require a POA&M for any deficiencies. (ibid)
Have questions or need forms? Give us a call.