The Information Technology Industry Council (ITI) is calling for a standardized and transparent procedure for software developers to self-certify secure software development methods.
According to a press release, ITI made its comments in acknowledgement of the obstacles that government contractors face when deploying new information security requirements. The Cybersecurity and Infrastructure Security Agency (CISA) has partnered with the Office of Management and Budget (OMB) to draft a framework to provide standards to guide federal agencies on the implementation of requirements to ensure the security of federally used software.
“ITI agrees with the policy goal of promoting software producers’ adherence to reasonable and risk-based secure software development practices,” said ITI Executive Vice President of Policy Gordon Bitko, according to the press release. “We applaud the Biden Administration’s commitment to leveraging industry’s subject matter expertise in strengthening the United States’ cybersecurity posture and will continue to provide stakeholder feedback through as many formal channels as possible. Yet, the iterative approach to implementing the minimum security requirements, paired with an ambitious timeline, has posed significant challenges for industry to make risk-based decisions on the appropriate investments to provide the federal government with the desired level of secure software development assurance. We are concerned about how the collection process will be operationalized and about the liability implications that the current level of ambiguity poses. We would welcome discussions with OMB and CISA on how potential, perceived, or asserted attestation inaccuracies will be addressed, and we believe that all affected stakeholders desire fair and reasonable treatment in that regard.”
According to the press release, the ITI is calling for CISA and OMB to update the form so that requirements ensure that: form requirements are to be read as expressly written; the reference table in the form’s instructions is for information purposes only and does not influence, modify, embellish, or otherwise affect the five requirements; software bills of materials (SBOMs) are not part of the minimum requirements of the form; and software producers are not attesting to third party developed code.
The adoption of a standardized, transparent deployment process ensures that companies reduce risks, manage costs and efficiently provide assurance, according to the press release.
