New Update in the Multiple Award Schedule GSA Interact Community: Understanding Software Attestations and Your MAS Contract

Written By Katey Grogan

Attention Software Producers and Resellers:

The Office of Management and Budget (OMB) has issued guidance that requires federal agencies to use only software that adheres to government-mandated secure software development practices. As part of this compliance, software producers are required to complete a self-attestation form, affirming that their software conforms to the National Institute of Standards and Technology (NIST) guidelines.

These attestation forms play a crucial role in the procurement process:

  • Public Availability: Software producers may choose to publicly post their completed attestation forms.

  • CISA Repository: If the forms are not publicly available, they must be uploaded to a repository managed by the Cybersecurity & Infrastructure Security Agency (CISA). This allows federal agencies to access the forms during the procurement process.

For Ordering Activities:
Ordering activities are responsible for reviewing the attestation forms. This includes checking forms that have been posted publicly or previously submitted to the CISA repository. If a new attestation form is submitted, it should also be added to the CISA repository. In cases where a software producer cannot attest to one or more required practices, the ordering activity must obtain and review a Plan of Action & Milestones (POA&M) from the software producer before proceeding with the use of the software.

What Does This Mean for MAS Contractors?

  • No Software Awarded: If your MAS contract does not include software, no action is required.

  • Software Awarded: If your MAS contract includes software:

    • If the software producer has already posted or submitted the attestation form to the CISA repository, there's no need to resubmit for the same software version.

    • If the software producer has not yet submitted an attestation form or posted it publicly, it is essential to upload the completed form to the CISA repository for all software versions awarded under your MAS contract.

    • If the software producer is unable to attest to specific practices or complete the form, the ordering activity will require a POA&M detailing any deficiencies.

If you have any questions or need further clarification, please reach out to K&G.

Katey Grogan
Previous

Mastering the Sales Reporting Portal: Essential Training for GSA MAS Contractors
Next

GSA Seeks Feedback on Revised Guidance for MAS Contractor Team Arrangements (CTAs)