U.S. CISA Secure Software Development Attestation Form (SSDAF) — Secure Software Self-Attestation Requirements

Overview

The U.S. CISASecure Software Development Attestation Form (SSDAF) — SecureSoftware Self-Attestation Requirements is a federal cybersecuritycompliance requirement that enables organizations to formally attestto the use of secure software development practices when supplyingsoftware to the U.S. government. This form supports the government’sinitiative to reduce software supply chain risks and strengthennational cybersecurity posture.

Published by theCybersecurity and Infrastructure Security Agency (CISA), the SSDAFapplies to federal contractors, software vendors, and suppliersaiming to provide software or software services to governmentagencies. It covers secure software development controls, riskmanagement practices, and compliance with guidance such as ExecutiveOrder 14028 and related NIST standards.

Organizationscomplete the SSDAF by documenting and attesting to theirimplementation of secure software development controls, aligningtheir practices with CISA and NIST guidance. Integrating SSDAFrequirements into software development lifecycles, securitydocumentation, and vendor risk management programs supportsregulatory compliance and provides assurance to federal buyers.

Why it Matters

The U.S. CISASecure Software Development Attestation Form (SSDAF) strengthenstrust by ensuring organizations follow secure software developmentpractices and regulatory requirements.

Key benefitsinclude:

•  Support stronger supply chain security

Require softwareproviders to attest to secure development, limiting risks fromthird-party software procurement and integration.

•  Enhance regulatory compliance

Enableorganizations to demonstrate alignment with federal cybersecuritystandards, improving their ability to meet compliance obligationsduring audits.

•  Increase software transparency

Promote greatervisibility into suppliers' development practices, enabling informedrisk management and procurement decisions.

•  Improve incident response readiness

Mandate securedevelopment controls that reduce exploitable vulnerabilities andsupport more effective detection and remediation of software-basedthreats.

•  Strengthen organizational reputation

Provideassurance to customers and stakeholders regarding the securityintegrity of deployed software products and internal developmentprocesses.

How it Works

The U.S. CISASecure Software Development Attestation Form (SSDAF) structuressecure software development requirements around a set of securitycontrols, process safeguards, and regulatory criteria aligned withexecutive orders and federal guidelines. The framework establishes aformal lifecycle for assessing software supply chain risks andcodifies key security practices into defined domains such as sourcecode integrity, vulnerability management, and secure developmentmethods. Organizations are required to self-attest to theimplementation of these controls as part of compliance with federalprocurement requirements.

In practice,organizations apply the SSDAF by integrating its control requirementsinto their secure development lifecycle (SDLC), mapping theframework’s standards to internal governance policies, andconducting regular compliance assessments. Security teams implementcontrols such as code review processes, automated vulnerabilityscanning, and developer training to address compliance gaps. Ongoingmonitoring and document collection support continuous alignment withSSDAF expectations and facilitate timely incident response andremediation.

ThroughSmartSuite, organizations streamline SSDAF operationalization byleveraging pre-built control libraries tailored to secure softwaredevelopment, managing risks within configurable registers, andenforcing policy governance workflows. The platform’s evidencecollection features support audit readiness, while compliancetracking modules and reporting dashboards enable ongoing monitoringof software supply chain security practices and regulatory adherence.

Key Elements

•  Secure Software Development Practices

Specifiesrequired processes for building software that address securityconsiderations throughout the development lifecycle.

•  Supplier Risk Management Controls

Outlinesmechanisms for evaluating and managing third-party and supply chainsoftware risks.

•  Secure Software Design Standards

Establishesminimum standards for secure architecture and coding within developedapplications.

•  Vulnerability Management Requirements

Describesprocedures for identifying, disclosing, and remediatingvulnerabilities in delivered software.

•  Continuous Monitoring Activities

Provides forongoing oversight and review of software to ensure continuedcompliance with security requirements.

•  Attestation and Documentation Processes

Definesnecessary evidence and documentation to support self-attestation ofsecure software development.

Framework Scope

The U.S. CISASecure Software Development Attestation Form (SSDAF) is adopted bysoftware producers contracting with U.S. federal agencies, addressingthe development and delivery of secure software running on federalinformation systems and cloud services. Organizations typicallycomplete the SSDAF when demonstrating control effectiveness andmeeting federal supply chain security requirements.

Framework Objectives

The U.S. CISASecure Software Development Attestation Form (SSDAF) defines keyoutcomes for secure software practices and organizational compliance.

•  Strengthen cybersecurity governance through formalized securesoftware development processes

•  Enhance risk management by addressing vulnerabilities insoftware supply chains

•  Promote regulatory compliance with federal security and privacyrequirements

•  Improve data protection through implementation of robustsecurity controls

•  Support operational resilience by ensuring software integrityand trustworthiness

•  Demonstrate audit readiness and transparency in softwaredevelopment practices The U.S. CISA Secure Software DevelopmentAttestation Form (SSDAF) aligns with secure development practicesfound in NIST SP 800-218, NIST SP 800-53, and the OWASP SoftwareAssurance Maturity Model. Organizations typically implement SSDAF tofulfill federal procurement requirements, regulatory compliance, orto demonstrate secure software development practices to governmentcustomers.

Common Framework Mappings

The U.S. CISASecure Software Development Attestation Form is often mapped torecognized software security and risk management frameworks todemonstrate comprehensive security practices, ensure regulatoryalignment, and streamline compliance reporting.

Mappedframeworks include:

CIS CriticalSecurity Controls

FedRAMP

ISO/IEC 27001

ISO/IEC 27002

NISTCybersecurity Framework

NIST SP 800-161

NIST SP 800-218Secure Software Development Framework (SSDF)

NIST SP 800-53

PCI DSS

SOC 2