GSA Issues Supplement 2 to MV-2023-02; Ensuring Only Approved Software is Acquired and Used at GSA

Supplement 2 to MV-2023-02; Ensuring Only Approved Software is Acquired and Used at GSA

BACKGROUND

March 2024 Update: 

In response to Executive Order 14028 and OMB Memorandum M-22-18, both of which aim to improve our nation’s cybersecurity, the Cybersecurity & Infrastructure Secure Agency (CISA) released the Secure Software Development Attestation Common Form (“Common Form”) on March 11, 2024.

GSA’s Actions:

• January 2023 - GSA issued Acquisition Letter MV-2023-02 (AL), Ensuring Only Approved Software is Acquired and Used at GSA, highlighting how current GSA acquisition policy and current GSA information technology policy work together to ensure only approved software (including products containing software) is acquired and used at GSA. Additionally, this AL provided guidance on how GSA intended to collect software attestations.

• May 2023 - GSA issued supplement 1 to MV-2023-02 in response to OMB Memorandum M-23-16. This supplement paused GSA’s plan to begin collecting software attestations in June 2023 as CISA and OMB continued developing the Common Form.

• April 2024 - GSA issued supplement 2 to MV-2023-02. This supplement reestablishes GSA’s requirement to collect and utilize the Common Form starting June 8, 2024.

What does this mean for you?

• GSA will begin collecting Common Forms as part of pre-award and post-award contract deliverables starting June 8, 2024 for all impacted software, regardless of whether or not the software is considered critical.

• GSA will collect Common Forms directly from offerors and contractors, as needed. If a valid form is posted publicly or has already been submitted to CISA’s Repository for Software Attestations and Artifacts (“Repository”), there is no need to obtain a separate attestation. Generally, as outlined in MV-2023-02, for GSA-funded acquisitions, Common Forms and Plan of Action & Milestones (POA&M) will be collected and reviewed, as necessary, through GSA’s existing IT Standards process.

• If you are a software producer, we recommend creating a “Software Producer Account'' in the Repository. This will allow you to submit records, attestations, and artifacts. Instructions for creating an account can be found in the Repository for Software Attestation and Artifacts User Guide

• Unless already collected through the Repository, GSA will utilize the same Common Form issued by CISA except that it will be marked with a GSA-specific Paperwork Reduction Act and Privacy Act statement. A copy of GSA’s Common Form (Form Number GSA 7700) can be found at GSA’s Acquisition Policy Library and Resources Page.

Where can I find more information?

GSA industry partners should continue to monitor CISA’s site for additional information, resources, and updates, or contact the GSA contracting officer responsible for a specific solicitation or contract.

Summary of helpful links:

CISA/OMB links:

• CISA Blog Post (03/11/2024), In Effort to Bolster Government Cybersecurity, Biden Administration Takes Step to Ensure Secure Development Practices

• CISA Blog Post (03/18/2024), Repository for Software Attestation and Artifacts Now Live

• CISA Secure Software Development Attestation Common Form

• CISA Repository for Software Attestation and Artifacts User Guide

• OMB M-22-18 (09/14/2022), Enhancing the Security of the Software Supply Chain through Secure Software Development Practices

• OMB M-23-16 (06/09/2023), Update to Enhancing the Security of the Software Supply Chain through Secure Software Development Practices