Today, Fortress Information Security released new software attestation capabilities to enable government agencies and government contractors to meet stringent software security mandates expected in early 2024. With improved capabilities for Software Supply Chain Security (SSCS), Fortress' newest offering helps public sector supply chains become more secure and resilient.
New federal mandates require all federal vendors and contractors to complete an attestation form for software products they sell to federal agencies. Attestations assure that software used by government agencies is securely developed according to the National Institute of Science and Technology's (NIST) Secure Software Development Framework (SSDF).
"Once OMB approves the attestation form, federal agencies will have to move very quickly to meet the requirements in the President’s Cybersecurity Strategy," said Ty Short, Vice President of Product. "Contractors will need to be ready to hit the ground running. By providing users with the most comprehensive, secure software development testing record, our attestation product reduces regulatory burdens to both government agencies and contractors. Additionally, users will see cost savings thanks to the ability to collaborate on attestations, certifications, and Plan of Action & Milestones."
The push for attestations is a part of the President’s Cybersecurity Strategy and a result of the SolarWinds supply chain hack of 2021, which many believe was launched by the Russian Intelligence Service. New research by Fortress shows that developers in Russia and China are building components frequently found in repositories like GitHub and in software commonly used by America’s electric companies.
Key features and capabilities of the Fortress attestation offering include:
- Software version tracking to initiate attestation updates as new major software versions are released
- Single interface to track compliance, remediation efforts, and exception management
- Designation of critical software
- Vendor outreach to ensure attestation response
- Unification of existing tools with Fortress Platform API and connectors
Fortress’ outreach to suppliers for Secure Software Development (SSD) attestations is executed through the North American Energy Software Assurance Database (NAESAD). NAESAD enables the sharing of attestations at scale with all federal customers, simplifying the response process and speeding up response times.
"Federal agencies can create a more integrated, secure, and efficient software development ecosystem that aligns with their strategic goals," said Short. "Fortress guides our clients through product discovery, attestation collection, triaging non-compliance, escalations, and replacement tracking, as well as continuous monitoring for new software versions to ensure attestations are up to date and accurate. This solution is absolutely critical to helping federal agencies, vendors, and contractors meet new attestation requirements."
About Fortress Information Security
Fortress secures North America's power and defense supply chains from cyberattacks on operational and critical enterprise technologies. Fortress' proprietary technology platform orchestrates North America's most advanced cyber supply chain risk management and vulnerability management programs. Fortress operates the Asset to Vendor network, which gives critical operators confidence that the products and services they obtain from others are cyber-safe. Fortress is a Goldman Sachs Portfolio Company.
North American Energy Software Assurance Database (NAESAD): An industry-wide collaborative database to create and share Software Bills of Materials (SBOM) in products used by utilities across North America. NAESAD is led by several investor-owned utilities (including AEP, Southern, Xcel, and NiSource) and managed by Fortress Information Security to create a comprehensive SBOM library for common vendors and suppliers.