CISA Secure Software Development Attestation Form Explained

What You Need to Know

As cybersecurity threats grow more complex, federal agencies are placing stricter demands on their software providers. To meet this challenge, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Office of Management and Budget (OMB), launched the Secure Software Development Attestation Form. This requirement helps confirm that software vendors supplying to the U.S. government follow secure development best practices

Why This Matters to Software Vendors

If your company sells software to federal agencies—or plans to—this attestation form isn’t optional. It determines your eligibility to bid for and maintain federal contracts. Meeting its requirements also strengthens your internal security posture and prepares you for broader supply chain security expectations across the industry.

What is the Secure Software Development Attestation Form?

The Secure Software Development Attestation Form is a self-certification requirement that software vendors must complete to confirm adherence to secure development practices. It verifies that your organization uses secure coding methods, automated testing tools, and follows supply chain safeguards—core measures in reducing vulnerabilities in software sold to the U.S. government.

What Are the Key Requirements of the Secure Software Development Attestation Form

1. Secure Software Development Lifecycle (SDLC): Software producers must demonstrate that they follow a secure software development lifecycle. This includes practices such as threat modeling, code review, static and dynamic analysis, and vulnerability assessments. The goal is to identify and mitigate security risks throughout the software development process.
2. Use of Automated Tools: The form emphasizes the importance of using automated tools to enhance the security of the software development process. This includes tools for static and dynamic analysis, software composition analysis (SCA), and continuous integration/continuous deployment (CI/CD) pipelines. Automated tools help identify and address security vulnerabilities early in the development lifecycle.
3. Supply Chain Security: Software producers must attest to the implementation of supply chain security measures. This includes verifying the integrity of third-party components, managing dependencies, and ensuring the security of the software supply chain. By doing so, producers help prevent the introduction of vulnerabilities through third-party software.
4. Compliance with Standards and Guidelines: The attestation form requires software producers to comply with relevant industry standards and guidelines. This includes adherence to secure coding practices, encryption standards, and other best practices for software security. Compliance with these standards ensures that the software meets the highest security benchmarks.
5. Regular Security Training: To maintain a robust security posture, software producers must provide regular security training for their development teams. This training should cover secure coding practices, threat awareness, and the use of security tools. By equipping developers with the knowledge and skills to identify and mitigate security risks, producers can enhance the overall security of their software.

How to Submit the Attestation Form

Once complete, the attestation form and any supporting materials can be submitted online through the Repository for Software Attestations and Artifacts or by email. The repository ensures secure document management and provides federal agencies with easy access to verify your compliance.

The completed software attestation form, along with any supporting artifacts, can be submitted online through the Repository for Software Attestations and Artifacts or via email. The repository provides a centralized platform for managing and verifying secure software development attestations, promoting transparency and accountability.

Introduced in 2024, the attestation form is still evolving. CISA is exploring ways to make the form machine-readable, which would reduce human interpretation and streamline audits. Future versions may also include more specific instructions, particularly around third-party software verification and dependency management.

One of the key elements of the Secure Software Development Attestation form is the requirement for a CEO or an equivalent executive to serve as the signatory. This mandate underscores the importance of accountability at the highest levels of an organization. By requiring an executive-level attestation, the form ensures that the responsibility for secure software development practices is not just delegated to technical teams but is recognized and endorsed at the top of the organizational hierarchy. This level of commitment emphasizes the critical importance of cybersecurity and fosters a culture of security awareness throughout the entire organization. It reinforces the idea that secure software development is a strategic priority and requires executive oversight and support to be effectively implemented and maintained.