On Monday March 11, CISA and the Office of Management and Budget (OMB) released the final version of the Secure Software Development Attestation Form (the “common form”) that has gone through multiple rounds of review since early 2023.

What is the “common form”?

The Secure Software Development Attestation Form was mandated by OMB memo M-22-18 which put new requirements on software producers supplying U.S. government agencies to comply with NIST Guidance for secure software development practices:

Consistent with the NIST Guidance and by the timelines identified below, agencies are required to obtain a self-attestation from the software producer before using the Software. [..] A software producer’s self-attestation serves as a “conformance statement” described by the NIST Guidance. The agency must obtain a self-attestation for all third-party software subject to the requirements of this memorandum used by the agency, including software renewals and major version changes.

M-22-18 specifically tasked CISA and OMB with creating this new form:

Within 120 days from the date of this memorandum, CISA, in consultation with OMB, will establish a standard self-attestation “common form” for Paperwork Reduction Act (PRA) clearance that is suitable for use by multiple agencies.

Multiple drafts of the form were published for feedback during 2023, and the final form was released on March 11, 2024.

What does the “common form” require for open source software?

The final form establishes the following requirement (emphasis ours):

Software producers who utilize third party components in their software are required to attest that they have taken specific steps, detailed in “Section III – Attestation and Signature” of the common form, to minimize the risks of relying on such components in their products.

The referenced Section III then requires organizations to attest that they:

“make a good-faith effort to maintain trusted source code supply chains by employing automated tools or comparable processes to address the security of internal code and third-party components and manage related vulnerabilities” (Section III, part 2)

And also:

“maintain provenance for internal code and third-party components incorporated into the software to the greatest extent feasible” (Section III, part 3)

How can organizations comply with the new “common form” requirements for their third-party open source components?

Organizations that supply software to the U.S. government need to ensure that they can attest to making the required “good-faith effort to maintain trusted source code supply chains” and to maintaining “provenance for internal code and third-party components incorporated into the software to the greatest extent feasible”.

Third-party open source software components typically comprise over 70% of the code in a modern application. The hard reality is that open source projects are constantly evolving, and doing the work to ensure appropriate secure development practices are in place and correctly documented takes time, and can get challenging to scale, especially considering most organizations typically rely on thousands of open source packages. 

Tidelift has been working to address these very challenges. To show how we help organizations meet the new U.S. government requirements for the open source components being used in their applications, we’ve created a sample open source attestation report using the most comprehensive database of maintainer-validated security and maintenance attestations. Tidelift is uniquely positioned to deliver this report through its partnerships with open source maintainers, who are paid to ensure their projects follow important security and maintenance practices like those found in the NIST SSDF and keep those attestations up-to-date.  

Learn more about this open source attestation report or contact us to request a custom open source attestation report for the components being used in your organization.