Request for Comment on CISA Secure Software Self-Attestation Common Form

[cmlh]

https://www.cisa.gov/secure-software-attestation-form is due 26 June, 2023.

Consideration should also be given to the possible align with PCI-DSS Secure Software Standard v1.2 Report on Validation (ROV) template and
Attestation of Validation (AOV) to reduce rework.

[stevespringett]

See comments from Jason Weiss https://www.linkedin.com/feed/update/urn:li:activity:7058162932412510208?updateEntityUrn=urn%3Ali%3Afs_feedUpdate%3A%28V2%2Curn%3Ali%3Aactivity%3A7058162932412510208%29. The attestation form is missing 9 controls from SSDF.

Also note that human readable attestations cannot be easily automatable. OWASP CycloneDX has a working group that is developing a general purpose, machine readable attestation standard that can be used to attest to many types of standards or regulations.
https://docs.google.com/document/d/1KpbqD2QwSxm0eymvH56DXceqpWDsSPE0iUNBmkzkX6w/edit. It could be used to attest to SAMM, ASVS, BSIMM, SOC2, etc. And if in the future the govt wants to automate their attestations, then it could be used for that to.

[tghosth]

Not sure ASVS is relevant for this