On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Office of Management and Budget (“OMB”) released the long-awaited Secure Software Development Certification Form (also known as the “Joint Form”) and 18 .March 2024 CISA’s forms repository went live.
A common form will be used by federal agencies to obtain certifications from software developers regarding the security of their products, in accordance with Executive Order 14028 on Improving the nation’s cyber security and OMB memoranda M-22-18 and M-23-16.
In April 2023, CISA presented an initial draft of the common form, and in December 2023, CISA published a revised draft of the common form. We’ve covered the key takeaways from the initial draft here and the revised draft here. CISA sought feedback from stakeholders and industry on the revised draft during a public comment period that ended on December 18, 2023.
Below are the key changes from the December 2023 revised draft:
- The Common Form adds a fourth category of software products and components that do not require self-certification (ie, open and proprietary third-party components that are embedded in the final software product used by the agency);
- In this version, the common form must be signed by the chief executive officer (“CEO”) of the software manufacturer or his designee (rather than the chief operating officer), who must be an employee of the software manufacturer and have the authority to bind the organization;
- The usual form requires the relevant agency to take appropriate steps to ensure that the third-party assessment (“3PAO”) of the software manufacturer is not made public, either by the vendor or by the agency itself;
- The common form notes that certifications are binding on future versions of the specified software product unless and until the software manufacturer notifies the relevant agencies that its development practices no longer conform to the required elements specified in the certification;
- The common pattern relaxes the requirement that the software manufacturer maintain the provenance of internal code and third-party components embedded in the software by adding to the greatest extent possible; and
- The common form clarifies that signing a certificate means that software manufacturers confirm that they adhere to secure software development practices for code developed by the manufacturer.
OMB M-23-16 requires agencies to collect certifications from software manufacturers for “critical” software no later than three months after OMB approves the CISA Common Self-Certification Form, and for all other software, within six months.
Neither the March 11, 2024 announcement nor the March 18, 2024 CISA announcement refers to those timelines.
It is important for affected software manufacturers to start browsing the Repository website, request an account if necessary, and prepare to submit common forms. Generally, we expect these requirements to be set out in a contract or agreement to be effective, so companies should consider the legal implications of the confirmation and the associated timing before submitting the form.