Thursday, April 27, 2023

CISA Publishes Software Attestation 60-day ICR Notice

Today, CISA published a 60-day information collection request (ICR) notice in the Federal Register (88 FR 25670-25672) for “Request for Comment on Secure Software Development Attestation Common Form”. This is supporting requirements outlined in OMB Memorandum M-22-18 for suppliers of software for the federal agencies to “attest to conformity with secure software development practices” outlined in NIST Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Security Guidance.

CISA is acting as the sponsor for this new governmentwide form (not yet published), but the ICR burden data is being based solely upon DHS contracting data. Other agencies will be required to prepare separate burden estimates and publish their own associated ICR notices. CISA will provide a copy of the actual attestation form when it submits the ICR to OIRA. I suspect that it will be published in the ICR docket (see below) before the end of the comment period on this ICR Notice.

Based upon data from the DHS Federal Procurement Data System, CISA estimates that there will be 2,689 initial submissions and 1,345 resubmissions of the newly required attestation forms. Initial submissions would have a 3-hour 20-minute burden associated with each submission (8,963 total hours) and a 1-hour 50-minute burden associated with the resubmissions (2,466 total hours) for a total of $923,623.

CISA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2023-0001). Comments should be submitted by June 26th, 2023.

No comments:

 
/* Use this with templates/template-twocol.html */