OMB Control No. 1670-0052
Expires: 03/31/2027
Hello Haxx
** The following communication contains important DOE Secure
Software Development Attestation Submission instructions.
Please read this communication in its entirety. **
The U.S. Department of Energy (DOE) has identified your
company's software as affected by this request. The list of
impacted software products and versions can be found below.
DOE Request:
In support of the Office of Management and Budget (OMB)
requirement to collect attestations per M-22-18, please
complete the U.S. Department of Energy Secure Software
Development Attestation Form (DOE Common Form). If you are
unable to attest to all secure software development
framework (SSDF) practices, please be sure to attach your
Plan of Action and Milestones (POA&M). The software listed
below has been identified as being associated with your
company and requires DOE to collect an attestation for the
software.
Product Name Version Number
libcurl 8.3
The U.S. Department of Energy Secure Software Development
Attestation Form (DOE Common Form) can be found at DOE F
205.2 Secure Software Development Attestation Form
(energy.gov). The DOE Common Form identifies the minimum
secure software development requirements a Software Producer
must meet, and attest to meeting, before software subject to
the requirements of M-22-18 as updated by M-23-16, may be
used by Federal agencies. This form is used by Software
Producers to attest that the software they produce is
developed in conformity with specified secure software
development practices and standards.
If you would like to submit your own attestation in lieu of
completing the fillable PDF copy of the DOE Common Form, you
may use one of the methods below:
* Provide a completed PDF of the CISA Secure Software
Development Attestation Form.
* Provide a public facing URL to the company's publicly
posted Secure Software Development Attestation Form in
response to this email request.
* Provide a completed PDF of the certified FedRAMP Third
Party Assessor Organization (3PAO). A third-party
assessment is acceptable in lieu of a self-attestation, if
provided by either a certified FedRAMP Third Party
Assessor Organization (3PAO) or one approved by the
agency. The 3PAO used needs to utilize NIST Guidance as
the assessment baseline.
If you experience any issues or have any questions, please
contact doe.attestation@hq.doe.gov.
Regards,
DOE OCIO C-SCRM Team
https://daniel.haxx.se/blog/2024/08/14/so-the-department-of-energy-emailed-me/
« prev | up | next » |