The Trump administration’s elimination of a security attestation requirement for federal software vendors could change how those companies demonstrate their products’ security to customers in the government and beyond.
On Jan. 23, the White House’s Office of Management and Budget rescinded a Biden administration directive that told agencies to require their software providers to fill out a security attestation form developed by the Cybersecurity and Infrastructure Security Agency. The memo said the attestation requirement “imposed unproven and burdensome software accounting processes that prioritized compliance over genuine security investments.”
OMB’s move to scrap the attestation requirement leaves agencies to decide for themselves how much information to require from vendors about their products’ security. The decision immediately prompted sharply divided reactions from the cybersecurity community, with some experts warning that the move would undermine efforts to push companies toward better security practices.
“The self-attestation process was a stepping stone to more secure software,” said Nicholas Leiserson, who served as the assistant national cyber director for cyber policy and programs during the Biden administration. “Eliminating [the process] without providing a replacement mechanism is an unequivocal step backward for government cybersecurity.”
Allan Friedman, a former senior adviser and strategist at CISA who led efforts to improve software transparency, wrote on LinkedIn that the requirements and CISA’s attestation form were meant to help agencies that lacked the resources to “design their own risk management approaches,” as well as to “help vendors not have to comply with dozens of unique requirements.”
OMB did not respond to a request for comment.
The attestation mandate was part of the Biden administration’s strategy to use the government’s purchasing power to drive software vendors toward more security-minded development practices. CISA led that strategy through its Secure by Design campaign, which encouraged companies to assume more of the burden for the secure operation of their products. The leaders of that campaign left the government early in the Trump administration, leaving its fate uncertain.
Leiserson, who is now senior vice president for policy at the Institute for Security and Technology, a nonprofit think tank, said the Biden administration designed the attestation requirement to be a “backstop” to more forward-leaning initiatives like Secure by Design.
“It ensures that software security does not become an afterthought by making it easier to bring a claim if a vendor fails to live up to its obligations,” he said.
The government has been trying to get software makers to take more responsibility for their products since the 1990s, said James Lewis, a longtime cyber policy expert and former government official who is now at the Center for European Policy Analysis (CEPA). Lewis called the elimination of the attestation requirement “idiocy” and “a step backward.”
Imperfect process
Critics of the attestation process said agencies implemented it haphazardly, even after CISA developed the common form for all agencies to use. “Some agencies continued to follow up with additional questions or to emphasize different aspects of the requirements,” said Ari Schwartz, the managing director of cybersecurity services at the law firm Venable. “For vendors with large product portfolios and multiple software versions, the process still represented a substantial paperwork effort.”
Schwartz said some companies told him that agencies asked them to attest to the security of products that were “well past their end of life.” Because of the security flaws inherent in those out-of-date products, Schwartz said, the companies couldn’t meet the agencies’ demands.
The tech industry, which repeatedly criticized the attestation form as poorly designed, asked the Biden administration to clarify elements it considered vague or problematic.
Gordon Bitko, executive vice president of public sector for the Information Technology Industry Council, praised the Trump administration’s “decision to move away from prescriptive mandates in favor of a risk-based approach” to security.
Henry Young, senior director of policy for the Business Software Alliance, said the attestation form “proved difficult to implement consistently and diverted resources away from managing real cybersecurity risk.”
Leiserson pushed back on those claims. “The form in question takes roughly three hours to complete,” he said.
Vendors’ fear of liability for misrepresenting their products’ security “was the real burden,” CEPA’s Lewis argued.
Every agency for itself
With the White House leaving it up to individual agencies to decide how to hold their software vendors accountable, the result could be a fragmented landscape of inconsistently stringent oversight.
Some agencies may continue using CISA’s form, while others may develop their own processes that ask for more or less information from software companies. That might make things even more complicated for vendors than the mandate whose demise they celebrated.
“If agencies all go in different directions and adopt very different approaches,” Schwartz said, “that could end up increasing the burden on companies without necessarily improving security.”
ITI’s Bitko urged the White House to “guard against fragmented, agency-specific requirements” that could make compliance more expensive.
The White House memo offered several suggestions to agencies, including referencing the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF) or requesting software or hardware bills of materials from vendors. On LinkedIn, Friedman called the SSDF “a solid tool” but said it was “not designed for compliance or measurement.”
Schwartz said it would be best if agencies converged on “broadly similar” security expectations that they implemented through contract language. BSA’s Young said the most effective approaches would base requirements on risk levels and use international standards.
An ongoing White House initiative could help prevent a sprawling patchwork of requirements. The Trump administration is in the process of revising the way agencies certify technology for use, which could lead to new government-wide standards for software security.
On alert for cascading security lapses
Most of the software that the government buys is the same commercial technology available to private businesses. If vendors’ attention to security slackens without strict oversight from their government customers, the consequences could endanger all of their customers.
Many cybersecurity experts have argued that the government’s longstanding deference toward Microsoft, one of its most important suppliers, encouraged the erosion of the company’s security culture that enabled a series of major cyberattacks on Microsoft products.
“Improvements in software security in response to market signals from the government [help] all users of that software, not just the government,” Leiserson said. “Conversely, the removal of such incentives will leave the ecosystem more vulnerable.”
For now, Schwartz said, “it’s too early to say whether this will meaningfully change the security of the software [that] agencies use.” Much will depend, he said, on how agencies — especially the biggest ones, which have the most significant software contracts — refashion their vendor oversight in response to the new White House guidance.