GSA to start collecting letters of attestation from software vendors in mid-June

The Typical Providers Administration will begin accumulating letters of attestation from software package vendors operating with the federal govt in mid-June, in accordance to a governmentwide acquisition memo.

The department will use a prevalent sort supplied by the Cybersecurity and Infrastructure Safety Agency to acquire the letters, which it expects will be out there prior to June.

Particulars on the implementation timeline for the new necessities appear as federal contractors’ cybersecurity preparations attract enhanced scrutiny.

Crafting in an op-ed for Overseas Affairs on Wednesday, CISA Chief Jen Easterly called for market to choose better duty for making certain the security of its items and reported shareholders really should ensure c-suite executives are viewing cyberrisk as a board-degree problem. 

By amassing the letters of attestation, GSA will do the job to put into action a memo signed by the White Residence in September that involves federal businesses to make certain that all third-party IT application deployed adheres to Countrywide Institute of Expectations and Engineering source chain safety requirements. 

Requirements for software vendors working with govt to attest to the protection of their items was also incorporated in the Biden administration’s Could 2021 cyber executive buy

The Federal Acquisition Council is now thinking about a rule adjust that would embed the requirement for software providers to attest to the security of their merchandise inside of the Federal Acquisition Regulation.

In its memo, GSA explained: “To comply with Govt Get 14028 and OMB Memorandum M-22-18, which have to have federal agencies to only use software that complies with Authorities-specified safe software progress methods, GSA IT will update its processes to approve software package which include requiring vendor attestations.

It included: “GSA IT anticipates issuing an updated attestation approach by June 12, 2023.”

In the acquisition notice, GSA claimed that cloud companies are encouraged to carry on functioning inside of the Federal Hazard and Authorization Administration Software (FedRAMP) framework.

“The FedRAMP acceptance method will streamline the GSA IT Criteria Course of action letting for a well timed deal get started,” the agency said. “GSA also anticipates that leveraging FedRAMP will guarantee and streamline compliance with requirements of OMB Memo M-22-18 in the foreseeable future.”