Cybersecurity Month: Essential Software Supply Chain Cybersecurity Resources for 2024 and Beyond.
Response to EO 14028 Section 4 
Streamline Secure Software Development Attestation Collection

Ensure critical federal cybersecurity compliance. Fortress’s Executive Order 14028 checklist will help you ask the right questions and familiarize yourself with the requirements specific to your agency or business.

 

Whether you are a software producer or software purchaser, Fortress can help you fulfill EO 14028 sec. 4 mandates.

 

Fill out the form to download your helpful guide or, if you are ready to partner with an expert to streamline compliance, select “Talk to an Expert” to chat with a Fortress professional today.

This includes:

  • A Preparation Checklist
  • An Inventory Software Checklist
  • Tips to Identify Critical Software
  • Software Security Risk Solution Information

Download your EO 14028 checklist!​

Executive Order (EO) 14028 section 4 (“Enhancing Software Supply Chain Security”) requires “Software Producers,” vendors who sell software to the United States government, to maintain secure development environments and trusted source code supply chains in compliance with NIST Secure Software Development Framework (SSDF) standards.​

Software producers must track the provenance of source code and components in their software supply chains, track all vulnerabilities prior to each new release, and participate in vulnerability disclosure programs. Upon request software producers must provide auditable reports of these activities and software bill of materials (SBOMs) or other artifacts upon request.​


Federal agencies, referred to as “Software Purchasers,” are required by EO 14028 section 4 to collect Secure Software Development attestations from Software Producers prior to implementing new software. Optionally, Software Purchasers may request artifacts such as SBOMs as evidence of conformity to SSDF standards.​

To ensure compliance and the continued use of critical applications and software is uninterrupted, federal agencies should inform its software vendors of these emerging requirements.

How Do Federal Agencies Comply?

The Federal Agency must receive a current and completed Software Producer’s Attestation Form for any critical software that has been developed after September 14, 2022.  Currently, DHS CISA is seeking feedback on supplier’s self-attestation document that the federal agency must receive prior to utilizing the software subject EO14028.

 

If the Software Producer does not provide a completed Attestation form, they must submit a third-party assessment documenting conformance to the NIST SP 800-218 Secure Software Development Framework (SDF) version 1.1.  The only acceptable third-party assessment must be performed by a Third-Party Assessor Organization (3PAO) that has been FedRAMP certified or approved in writing by an appropriate federal agency official.  Fortress has been officially recognized by TVA as its third-party assessment organization.    The assessment form must either be posted on the Software Producer’s website or emailed to the federal agency point of contact.

 

In the event the Software Producer cannot demonstrate compliance via the form or the third-party assessment, they must submit a plan of action and milestones (POA&M) to the agency.  The federal agency must either accept or reject the POA&M.  A rejected or non-approved POA&M will interrupt the continued use or purchase of the in-scope software.

How Do Software Producers Comply?

The Software Producer must comply with each agency’s request to demonstrate compliance to EO14028.  The Attestation, Assessment or POA&M must be filed for each application used by the requesting federal agency.  In most cases, the federal agency will be proactive in corresponding with the Software Producer to inform them of the requirement and to provide them with ample time to provide the attestation, assessment results or POAM.  However, there will be circumstances that the federal agency may not always properly inform the software producer and may pressure the producer to complete the required information in short order.  To minimize the impact and disruption to the supplier, it is recommended that the supplier proactively and successfully complete the Common Attestation Form.

 

If the Software Producer does not provide a completed Attestation form, they must submit a third-party assessment documenting conformance to the NIST SP 800-218 Secure Software Development Framework (SDF) version 1.1.  The only acceptable third-party assessment must be performed by a Third-Party Assessor Organization (3PAO) that has been FedRAMP certified or approved in writing by an appropriate federal agency official.  Fortress has been officially recognized by TVA as its third-party assessment organization.    The assessment form must either be posted on the Software Producer’s website or emailed to the federal agency point of contact.

 

In the event the Software Producer cannot demonstrate compliance via the form or the third-party assessment, they must submit a plan of action and milestones (POA&M) to the agency.  The federal agency must either accept or reject the POA&M.  A rejected or non-approved POA&M will interrupt the continued use or purchase of the in-scope software.

DHS CISA's Secure Software Self-Attestation Common Form

On November 16, 2023, CISA in accordance with Executive Order 14028 and the Office of Management and Budget’s (OMB) guide in OMB M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, released through regulations.gov a 30-day Request for Comment on draft Secure Software Development Attestation Common Form.

CISA

Speak with an Expert

Your cyber supply chain — the hardware, software, processes, and vendor ecosystem — poses vulnerabilities that are as yet unseen. Take our 30 minute discovery assessment to uncover vulnerabilities and step forward to reduce your risk.