View RCF - OIRA Conclusion

RCF ID: 202404-3235-003CF	Previous RCF ID:
Status: Active	Expiration Date: 03/31/2027
Agency/Subagency: SEC	Agency Tracking No:
Host OMB Control No: 1670-0052	Host ICR Reference No: 202311-1670-001

Title: Secure Software Development Attestation Form

Type of RCF: RCF New
OIRA Conclusion Action: Approved without change	Conclusion Date: 04/17/2024
Retrieve Notice of Action (NOA)	Date Received in OIRA: 04/17/2024
Terms of Clearance:

Description of Agency Usage: OMB M-22-18 and M-23-16 require vendors to do self-attestations for supply chain risk management. The Federal CIO and Federal CISO/Deputy National Cyber Director strongly encourage all agencies to use CISA’s common form for that, as doing so will enable increased information sharing across the Federal ecosystem and will reduce the need for redundant attestations for software used by multiple agencies. Accordingly, attached is the SEC’s minor variation of CISA’s common form, for which the SEC is asking for expedited approval through the common form clearance process, so that the form can be shared with vendors for completion. The OMB Control No. for the CISA Common Software Attestation Form is 1670-0052. A list of agencies already approved to use the common form is located here.

Authorizing Statute(s): EO: EO 14028 Name/Subject of EO: Executive Order on Improving the Nations Cybersecurity

Annual Cost to Federal Government:
Agency Contact: Illeana Ciobanu 202 551-6123

Common Form Information Collections (IC) in this RCF:

IC Title	Status	Responses	Hours	Dollars	Document Type	Form No.	Form Name
Secure Software Development Attestation Form		592	1,434	0	Form and Instruction	N/A	Secure Software Sefl-Attestation Common Form

RCF Summary of Burden:

	Total Approved	Change Due to New Statute
Annual Number of Responses	592	592
Annual Time Burden (Hours)	1,434	1,434
Annual Cost Burden (Dollars)	0	0

Burden increases because of Program Change due to Agency Discretion: No

Burden Increase Due to:

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: MB M-22-18 and M-23-16 require vendors to do self-attestations for supply chain risk management. The Federal CIO and Federal CISO/Deputy National Cyber Director strongly encourage all agencies to use CISA’s common form for that, as doing so will enable increased information sharing across the Federal ecosystem and will reduce the need for redundant attestations for software used by multiple agencies. Accordingly, attached is the SEC’s minor variation of CISA’s common form, for which the SEC is asking for expedited approval through the common form clearance process, so that the form can be shared with vendors for completion. The OMB Control No. for the CISA Common Software Attestation Form is 1670-0052. A list of agencies already approved to use the common form is located here.