Make sure you have what is needed to adhere to the form's requirements
The adoption of software supply chain security best practices is currently in a watershed moment similar to the publication of the PCI compliance requirements in 2006. Just like then, the new regulation is adding significant requirements from company leadership, in this case, to attest to the security of their software and the exact means used to achieve it.
The proposed Secure Software Development Attestation Form, though still in a final draft version, put forth by DHS – CISA at the requirement of the OMB’s M-23-16 memo and earlier in the M-22-18 memo, is an obligation with significant liabilities accompanying it. It requires the signature of the company’s leadership, guaranteeing that they comply with the form’s requirements. There is an expressed expectation for that person/s to be able to back their signature with the appropriate evidence should a software supply chain attack happen.
The form’s four clauses cover a wide range of requirements yet offer no guidance on how to comply. The wide variety of tech stacks, cloud environments, CI/CD tools, and configurations found in the industry make it hard to collect all the varied evidence required in the form.
Additionally, there is the issue of verification timing. Unless the company continually collects evidence, there will be little it can do to prove that it was following the best practices signed on.
Automatically and continuously collecting the evidence in a trusted manner and constantly verifying the SDLC policies the company defined and signed on is the right way to prove the form’s requirements were followed.
Get this white paper to explore how Scribe can help you automatically collect and sign evidence as proof for building trust in software.
We advise on what should be part of the required evidence, including log files, screenshots, configuration files, and so on. We know how to collect evidence from 3rd party tools and include it with the rest of the evidence for SDLC and build pipelines. We help take this evidence and turn it into irrefutable, immutable attestations that are saved in a secure store.
Such evidence can serve as valid attestations for SLSA or SSDF compliance. Each company can customize its own policies based on the sign-verify model.
The Scribe platform includes all the evidence collected in an easy-to-query and segment form. One can examine the aggregated SBOM view of all builds and products, a full out-of-date components report, a comprehensive vulnerabilities report (that includes a CVSS score and an EPSS probability), and a library reputation report based on the OpenSSF Scorecard project.