The Office of Management and Budget has issued a memorandum reaffirming the importance of secure software development practices and extending the deadlines for when agencies should gather attestations from software companies.
Agencies should collect attestation letters for “critical software” no later than three months after the common attestation form issued by the Cybersecurity and Infrastructure Security Agency is cleared by OMB under the Paperwork Reduction Act, OMB said in the memo published Friday.
OMB asks that attestations for all software should be collected no later than six months after the common form is approved by OMB under PRA.
The document provides additional guidance on the use of plans of actions and milestones by agencies when a software company cannot provide the needed attestation but intends to do so.
The memo signed by OMB Director Shalanda Young also clarifies the requirements for collecting attestations for third-party components, publicly available and freely obtained proprietary software and federal contractor-developed software.
