View RCF - OIRA Conclusion

RCF ID: 202404-3084-001CF	Previous RCF ID:
Status: Active	Expiration Date: 03/31/2027
Agency/Subagency: FTC	Agency Tracking No:
Host OMB Control No: 1670-0052	Host ICR Reference No: 202311-1670-001

Title: Secure Software Self-Attestation Common Form

Type of RCF: RCF New
OIRA Conclusion Action: Approved without change	Conclusion Date: 04/24/2024
Retrieve Notice of Action (NOA)	Date Received in OIRA: 04/22/2024
Terms of Clearance:

Description of Agency Usage: The attestation form information will be used by the department or agency to provide great assurances that help understand whether the software provider performed due diligence followed secure code practices which align with NIST 800-216 Secure Software Development Practices (SSDF). OMB circular M-22-18 requires CISA in consultation with OMB to develop a secure software attestation common form for all federal departments and agencies. The FTC and other agencies will collect software attestation information from software suppliers.

Authorizing Statute(s): EO: EO 14028 Name/Subject of EO: Improving the Nation’s Cybersecurity

Annual Cost to Federal Government:
Agency Contact: Jacalyn Johnson 202 326-2218

Common Form Information Collections (IC) in this RCF:

IC Title	Status	Responses	Hours	Dollars	Document Type	Form No.	Form Name
Secure Software Development Attestation Form		167	405	0	Form and Instruction	N/A	Secure Software Sefl-Attestation Common Form

RCF Summary of Burden:

	Total Approved	Change Due to New Statute
Annual Number of Responses	167	167
Annual Time Burden (Hours)	405	405
Annual Cost Burden (Dollars)	0	0

Burden increases because of Program Change due to Agency Discretion: No

Burden Increase Due to:

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: Executive Order 14028, “Improving the Nation’s Cybersecurity” (E.O. 14028), requires that the Director of OMB take appropriate steps to ensure that Federal agencies comply with Guidance from the National Institute of Standards and Technology (NIST) within the Department of Commerce. To that end, OMB issued Memorandum M-22-18, “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-22-18), on September 14, 2022. That memorandum was updated on June 9, 2023, through OMB Memorandum M-23-16, “Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” (M-23-16). M-22-18, as amended by M-23-16, provides that a Federal agency may use software subject to M-22-18’s requirements only if the producer of that software has first attested to compliance with Federal Government-specified secure software development practices drawn from the SSDF. This self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before software subject to the requirements of M-22-18 and M-23-16 may be used by Federal agencies. This form is used by software producers to attest that the software they produce is developed in conformity with specified secure software development practices.