Navigating the New Secure Software Development Attestation Form (SSDF): What It Means for Software Vendors and Small Businesses

Did You Know?

On March 11, 2024, the Cybersecurity and Infrastructure Security Agency’s (CISA) and the Office of Management and Budget (OMB) released the Secure Software Development Attestation Form (SSDF), a common form that will help ensure the software producers who partner with the federal government leverage minimum secure development techniques and toolsets. The SSFDF is a document that software producers must complete to attest to the security measures and practices implemented in their software development processes. This form is part of the broader effort to ensure the security of software used by federal agencies.

Software vendors use this form to certify that they have taken specific steps to secure their software, including:

  • Developing Software in Secure Environments: Ensuring the use of separate development environments, multifactor authentication, encryption, and continuous monitoring.
  • Maintaining Trusted Source Code Supply Chains: Using automated tools or comparable processes to secure both internal and third-party code.
  • Provenance of Code: Keeping a record of the origins of internal and third-party code.
  • Vulnerability Management: Implementing automated tools or processes to detect and address security vulnerabilities continuously.

Alternatively, software producers can use a third-party assessment to demonstrate compliance. This
assessment must be conducted by a certified Third-Party Assessor Organization (3PAO) following
relevant NIST guidelines

This requirement applies to:

  • Software-as-a-Service (SaaS) Providers: Companies that deliver software through continuous
    delivery or deployment models
  • Commercial Software Producers: Vendors offering software products or services that are used
    by federal agencies.
  • Software Developed by Contractors: Organizations contracted to develop software for federal use.
  • Software Containing Third-Party Components: Vendors whose products rely on third-party or open-source software components must attest to securing these components.

If a vendor cannot attest to all the required practices, they must submit a Plan of Action and Milestones
(POA&M) detailing how they plan to address the gaps and the timeline for doing so. Failure to comply
with the attestation requirements can result in severe penalties, including loss of federal contracts and
legal consequences under the False Claims Act.

How could this impact your firm?
Small businesses that provide software and software support services will need to invest additional
time and resources into understanding and completing this form. This includes documenting their
software development practices, ensuring compliance with security standards, and potentially creating
new policies and procedures if they do not already exist. This could be particularly burdensome if the
company lacks dedicated cybersecurity staff. Compliance may require investing in new tools,
technologies (e.g. automated tools for vulnerability management or maintaining secure development
environments), training for in-house staff, or hiring certified third-party assessors.

A copy of the SSDF form can be found here.
A copy of the federal Register explanation of the form and rules governing its implementation can be
found here.
Answers to Frequently Asked Questions (FAQs) over the SSDF can be found here.