Get details on the CISA Attestation, how to address it, and how Legit can help.

In the rapidly evolving cybersecurity landscape, the imperative for robust and standardized security measures has never been more critical. We see this more now than ever as software supply chain attacks continually increase 600-700% year over year. To add some governance to the chaos, the Cybersecurity and Infrastructure Security Agency (CISA) was born in 2018 with the mission to fortify the nation’s cyber and infrastructure resilience.  

This organization has been tasked with making sure critical applications and infrastructure are secure and protected from malicious actors globally. In doing so they have enacted policies and best practices to help government and civilian entities create safer and more secure software.

Background of CISA Attestation

More than four years ago, the application security world was rocked with one of the largest and most costly attacks seen: the SolarWinds breach. Malicious actors infiltrated SolarWinds’ development pipelines and injected malicious code without the knowledge of security. This malicious package was then sent to thousands of victims (i.e., SolarWinds customers) downstream. 

It was this attack that was the catalyst for the creation of President Joe Biden’s Executive Order (EO) on America’s Supply Chains in February 2021. This EO specifically called out the need for a new industry framework around securing the nation’s software supply chains. The National Institute of Standards and Technology (NIST) responded by creating the NIST Secure Software Development Framework (SSDF), otherwise known as NIST SP 800-218.

The NIST Secure Software Development Framework (SSDF) provides a comprehensive set of guidelines aimed at integrating security into the software development lifecycle, thereby enhancing the security posture of software products from inception to deployment. It outlines best practices and actionable recommendations for organizations to minimize vulnerabilities, improve security incident response, and foster a culture of security within software development teams. 

As part of this newly formed framework, CISA set two deadlines for organizations selling software to the U.S. government to adhere to the SSDF framework: June 11, 2023 for all critical software and infrastructure and Sept 13, 2023 for all non-critical software and infrastructure. Some examples of what constitutes critical software would be software with any components that are designed to run with elevated privileges, has access to privileged networks or computing systems, or performs a function critical to trust or operates outside of normal trust boundaries. 

To verify and validate that organizations meet the controls needed to be NIST SSDF compliant, CISA created an attestation form that needs to be signed by a high-level executive, currently limited to the CEO or COO, within an organization. We’re already seeing federal agencies, such as the FDA, start to hold vendors accountable to the controls found in NIST SSDF.

Additionally, OMB, Office of Management and Budget, has stated that agencies must take action to adopt NIST’s SSDF guidelines when procuring software, “effective immediately.” With that said, OMB Memorandum M-22-18 has delayed the attestation requirements by 30 and 60 days after the approval of the CISA Attestation Common Form for critical and non-critical software respectively.

Purpose of CISA Attestation

The new CISA Attestation form allows organizations to verify and “attest” that they adhere to the SSDF guidelines and comply with a subset of the controls listed in SSDF as listed in the CISA Attestation form. Within this attestation there are four main areas of concern that need to be attested to:  

1. Secure Development Environments: Are we using best practices to verify that code is being created in a secure manner and has proper checks during change management processes?  
   
2. Secure Software Supply Chain: Are we using proper controls to maintain integrity of the code as it goes through build pipelines, gets deployed to production environments, and uploaded into artifact registries?  
3. Maintain Code and Artifact Provenance: Can we validate that the code and artifacts created haven’t been altered or maliciously changed during the build process?  
4. Check for Vulnerabilities: Are we checking for known vulnerabilities within both the application and build processes so we understand where there’s risk so we can remediate or mitigate appropriately? 

Within each of these areas, there are several complex controls that need to be implemented, verified and evidenced in order to meet the requirements set by CISA.  

This is no easy feat due to the complexity of modern application development, and one of the main concerns voiced by organizations during the CISA Attestation commenting period is the difficulty and complexity of validating these controls and providing evidence for them.

How CISA Attestation Benefits Organizations and Government

CISA attestation serves as a powerful tool for organizations and governments and provides a structured framework to elevate cybersecurity practices, including:

• Enhanced Security: Attestation standards elevate organizational cybersecurity practices.
• Compliance and Trust: Stakeholder confidence is boosted through adherence to recognized security standards.
• Risk Management: CISA attestation plays a role in identifying and mitigating cybersecurity risks.

There are several real benefits to having an attestation process like this:

Enhancing National Security

By setting and enforcing robust cybersecurity standards, CISA attestation helps protect critical infrastructure and key resources that are vital to the nation’s security, economy, public health, and safety. This includes sectors such as energy, transportation, banking, and healthcare, among others.

Establishing Compliance Standards

CISA attestation provides a framework for organizations to assess, validate, and demonstrate their compliance with established cybersecurity practices and protocols. This ensures a consistent and high level of security across different sectors and organizations. Additionally, the attestation framework breaks the larger NIST SSDF into more “bite-sized” and manageable pieces for organizations while highlighting the areas where an organization should start to improve their software supply chain maturity.

Improving Risk Management

Through the attestation process, organizations are encouraged to adopt a proactive approach to identifying, assessing, and managing cybersecurity risks. This includes regular assessments, threat monitoring, and the implementation of effective security measures to mitigate risks.

Promoting Public and Private Sector Collaboration

CISA attestation fosters collaboration between government agencies and private sector entities. This partnership is crucial for sharing threat intelligence, best practices, and resources to enhance the collective cybersecurity defense.

Building Trust and Confidence

For organizations, achieving CISA attestation can build trust among stakeholders, customers, and partners by demonstrating a commitment to maintaining high standards of cybersecurity. This can be particularly important for companies that handle sensitive data or are part of critical supply chains.

Driving Continuous Improvement

The attestation process encourages organizations to continuously review and enhance their cybersecurity practices in response to evolving threats and technological advancements. This commitment to continuous improvement helps ensure that security measures remain effective over time.

Best Practices for Preparing for CISA Attestation

While not an exhaustive list, here are several things you can do now to prepare and shore up your SDLC security practices:

Understand CISA Requirements 

• Comprehensive Review: Begin by thoroughly reviewing CISA’s cybersecurity guidelines and requirements to understand the specific standards and practices your organization must meet. 
• Regulatory Updates: Stay informed about any updates or changes to CISA regulations to ensure ongoing compliance.

Conduct a Gap Analysis

• Current State Assessment: Evaluate your existing cybersecurity practices against CISA requirements to identify gaps. 
• Risk Assessment: Perform a risk assessment to prioritize the identified gaps based on their potential impact on your organization’s security posture. 

Implement Necessary Controls and Procedures

• Security Controls: Adopt and enhance security controls that align with CISA’s guidelines, including access control, data protection, software supply chain hardening, and proper implementation of application security testing tools. 
• Policies and Procedures: Update or develop policies and procedures that support the implementation of required security controls and compliance with CISA standards.

Invest in Employee Training and Awareness

• Cybersecurity Training: Regularly train employees on cybersecurity best practices, the importance of compliance, and their role in maintaining security. 
• Phishing and Social Engineering: Conduct training sessions to help employees recognize and respond to social engineering attacks such as phishing. Limit excess privileges to prevent lateral movement in the event of a compromise. 

Leverage Technology and Tools

• Security Solutions: Utilize cybersecurity tools and solutions that aid in compliance, such as secret detection, application security testing tools, software supply chain solutions, and application security posture management (ASPM) systems to correlate and prioritize risk. 
• Automation: Employ automation where possible to streamline compliance processes, monitor security continuously, and reduce the likelihood of human error.

Continuous Monitoring and Improvement

• Regular Audits: Conduct internal and external audits regularly to assess compliance with CISA standards and identify areas for improvement. 
• Incident Management: Implement an effective incident management process that includes detection, response, recovery, and post-incident analysis to learn and adapt from security events.

Documentation and Reporting

• Record-Keeping: Maintain comprehensive documentation of your cybersecurity policies, procedures, controls, training programs, and audit results as evidence of compliance. 
• Transparency: Be prepared to provide detailed reporting on your compliance status and security posture to relevant stakeholders, including CISA, if required.

Legit’s Role in CISA Attestation

Security is hard, particularly in the context of securing fast-moving development pipelines. Add to that the pressure of verifying that you meet compliance, and it becomes a Sisyphean task without the right tools or processes in place.  

This is one of the main reasons Legit has focused so heavily on helping organizations understand where they stand regarding compliance standards.  

So how can Legit help you? Let’s break it down based on the four focus areas of the CISA Attestation. 

Secure Development Environments

• Secrets Detection – Legit utilizes proprietary AI/LLM technology to find secrets across your entire SDLC, not just in code. 
• Developer Identification & Permissions – The Legit platform can instantly tell you what collaborators are working on your products at all times, and can also give you a complete list of permissions associated with each collaborator.  
• SDLC Visibility – Legit automatically and continuously discovers and maps all build tools and production environments, AI/LLMs, etc. across your entire development organization. 

Secure Software Supply Chain

• SDLC Hardening – Legit offers the deepest and most comprehensive list of policies and best practices around protecting all the assets found in a software factory, including code repos, CI/CD systems, pipeline controls, IaC, and more. 
• SDLC Graph – Legit enables you to fully understand how code progresses through your pipelines for complete traceability in all your products – from code repo > build tools > artifact registry > deployment. 
• Code to Cloud – Legit instantly traces any issue found in production back to the associated code in seconds for easy and fast remediation.  

Maintain Code and Artifact Provenance

• Artifact Provenance – Legit enables you to view and download provenance records instantly to verify and provide evidence that artifacts haven’t been manipulated during the build process.  
• Complete Inventory – Legit tracks all resources being used in development, in the build process, as well as in production, such as repos, container images, Kubernetes resources, packages, and more. 

Check for Vulnerabilities

• Single Source of Truth – Legit aggregates, prioritizes, and remediates all issues from a single platform. With Legit, you can integrate all your existing application security tooling, which allows us to overlay additional context about your business and development environments for better understanding of risk. 
• Control Mapping – Legit provides complete visibility into where you have proper controls in place, and more importantly, where you are missing controls in order to get full coverage using your existing tools.  
• Extended Risk Visibility – Due to our deep understanding of SDLC and IaC risk, Legit provides additional vulnerability, misconfiguration, and risk identification into areas of the SDLC largely ignored by existing application security tools. 

Most important, because of the comprehensive visibility, deep understanding of an organization’s SDLC, and robust set of built-in governance policies, we have the unique ability to provide real-time compliance assessments across your entire company product portfolio, business unit, or even individual product line and instantly tell you whether you meet CISA Attestation requirements. And when we find gaps, we don’t just point them out … we tell you where they live, who owns them, and how to go about remediating them so you can close them fast.  

Lastly, while this blog is about CISA Attestation and how we can help with that area, I’d be remiss to not mention that we do this same compliance mapping and gap identification for several other commonly used standards including PCI, SOC2, SSDF, SLSA & FedRAMP.

Insights, Identification, and Remediation With Legit

In the complex journey toward CISA Attestation and SSDF compliance, the challenges can seem daunting, particularly given the stringent requirements and myriad controls involved. Legit Security stands out by offering not just tools but a comprehensive understanding of the software security program, tailored to help organizations navigate the detailed requirements of attestation. Legit Security’s approach focuses on providing deep insights into your software development processes, helping to identify vulnerabilities and streamline remediation efforts. This support is crucial not only for achieving compliance but also for fostering a culture of continuous improvement in cybersecurity practices, ensuring that organizations can maintain a strong security posture in the face of evolving threats.  

Learn more about how Legit helps organizations comply with regulations.

Additional Resources 

• CISA Official Website – https://www.cisa.gov/ 
• CISA Attestation Form – https://www.cisa.gov/resources-tools/resources/secure-software-self-attestation-common-form 
• NIST SP 800-218 Secure Software Development Framework (SSDF) – https://csrc.nist.gov/projects/ssdf 
• White House Executive Order on America’s Supply Chains – https://www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executive-order-on-americas-supply-chains/  

*** This is a Security Bloggers Network syndicated blog from Legit Security Blog authored by Joe Nicastro. Read the original post at: https://www.legitsecurity.com/blog/how-to-address-cisa-attestation