GSA to start collecting letters of attestation from software vendors in mid-June

The General Services Administration say it hopes to share details of the updated certification process with tech companies by June 12.
The General Services Administration (GSA) Headquarters building. (SAUL LOEB/AFP via Getty Images)

The General Services Administration will begin collecting letters of attestation from software vendors it works with in mid-June, according to an acquisition memo.

The department will use a common form provided by the Cybersecurity and Infrastructure Security Agency to collect the letters, which it expects will be available before June.

Details on the implementation timeline for the new requirements come as federal contractors’ cybersecurity arrangements attract enhanced scrutiny.

Writing in an op-ed for Foreign Affairs on Wednesday, CISA Chief Jen Easterly called for industry to take greater responsibility for ensuring the safety of its products and said shareholders should ensure c-suite executives are viewing cyberrisk as a board-level issue. 


By collecting the letters of attestation from vendors, GSA will work to implement a memo signed by the White House in September that requires federal agencies to ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements. 

Requirements for software vendors working with government to attest to the safety of their products was also included in the Biden administration’s May 2021 cyber executive order

The Federal Acquisition Council is currently considering a rule change that would embed the requirement for software providers to attest to the security of their products within the Federal Acquisition Regulation.

In its memo, GSA said: “To comply with Executive Order 14028 and OMB Memorandum M-22-18, which require federal agencies to only use software that complies with Government-specified secure software development practices, GSA IT will update its processes to approve software including requiring vendor attestations.

It added: “GSA IT anticipates issuing an updated attestation process by June 12, 2023.”


In the acquisition note, GSA said that cloud providers are encouraged to continue working within the Federal Risk and Authorization Management Program (FedRAMP) framework.

“The FedRAMP approval process will streamline the GSA IT Standards Process allowing for a timely contract start,” the agency said. “GSA also anticipates that leveraging FedRAMP will ensure and streamline compliance with requirements of OMB Memo M-22-18 in the future.”

Correction, 2/2/22: This article was updated to clarify that GSA will begin collecting letters of attestation only from software vendors it works with directly, not from those working with other federal agencies.

Latest Podcasts