View RCF - OIRA Conclusion

RCF ID: 202405-3133-001CF	Previous RCF ID:
Status: Active	Expiration Date: 03/31/2027
Agency/Subagency: NCUA	Agency Tracking No:
Host OMB Control No: 1670-0052	Host ICR Reference No: 202311-1670-001

Title: Secure Software Development Attestation Form

Type of RCF: RCF New
OIRA Conclusion Action: Approved without change	Conclusion Date: 05/07/2024
Retrieve Notice of Action (NOA)	Date Received in OIRA: 05/01/2024
Terms of Clearance:

Description of Agency Usage: NCUA intends to use this form to obtain self-attestations from software producers that their software is developed in conformity with Government-specified minimum secure software development practices. The information in this collection will be used to assess any potential risk in the agency’s use of the software.

Authorizing Statute(s): EO: EO 14028 Name/Subject of EO: Improving the Nation’s Cybersecurity

Annual Cost to Federal Government:
Agency Contact: Dacia Rogers 202 402-3374 dacia.a.rogers@hud.gov

Common Form Information Collections (IC) in this RCF:

IC Title	Status	Responses	Hours	Dollars	Document Type	Form No.	Form Name
Secure Software Development Attestation Form		30	73	0	Form and Instruction	N/A	Secure Software Sefl-Attestation Common Form

RCF Summary of Burden:

	Total Approved	Change Due to Agency Discretion
Annual Number of Responses	30	30
Annual Time Burden (Hours)	73	73
Annual Cost Burden (Dollars)	0	0

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Changing Regulations

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: Executive Order 14028, “Improving the Nation’s Cybersecurity” (E.O. 14028), emphasizes the importance of securing software used by the Federal Government to perform its critical functions. To further this objective, E.O. 14028 required NIST to issue guidance “identifying practices that enhance the security of the software supply chain.” The NIST Secure Software Development Framework (SSDF) (SP 800-218), and the NIST Software Supply Chain Security Guidance (these two documents, taken together, are hereinafter referred to as “NIST Guidance”) include a set of practices that create the foundation for developing secure software. This self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before certain software may be used by Federal agencies. This form is used by software producers to attest that the software they produce is developed in conformity with specified secure software development practices.