The Software Producer must comply with each agency’s request to demonstrate compliance to EO14028. The Attestation, Assessment or POA&M must be filed for each application used by the requesting federal agency. In most cases, the federal agency will be proactive in corresponding with the Software Producer to inform them of the requirement and to provide them with ample time to provide the attestation, assessment results or POAM. However, there will be circumstances that the federal agency may not always properly inform the software producer and may pressure the producer to complete the required information in short order. To minimize the impact and disruption to the supplier, it is recommended that the supplier proactively and successfully complete the Common Attestation Form.
If the Software Producer does not provide a completed Attestation form, they must submit a third-party assessment documenting conformance to the NIST SP 800-218 Secure Software Development Framework (SDF) version 1.1. The only acceptable third-party assessment must be performed by a Third-Party Assessor Organization (3PAO) that has been FedRAMP certified or approved in writing by an appropriate federal agency official. Fortress has been officially recognized by TVA as its third-party assessment organization. The assessment form must either be posted on the Software Producer’s website or emailed to the federal agency point of contact.
In the event the Software Producer cannot demonstrate compliance via the form or the third-party assessment, they must submit a plan of action and milestones (POA&M) to the agency. The federal agency must either accept or reject the POA&M. A rejected or non-approved POA&M will interrupt the continued use or purchase of the in-scope software.