The US Government General Services Administration (GSA) has taken a major step toward improving software cyber security with this announcement
The era of blind faith in digital objects and software is ending and the epic of radical transparency begins on June 8, 2024 using the CISA Repository for Software Attestations and Artifacts (RSAA) portal. Now, software producers and makers of digital products for sale to the US government will require a secure software attestation form to be filed on the CISA RSAA portal. CISA is also hosting a conference on June 12 to help parties prepare for these changes.
SUBJECT: Supplement 2 to MV-2023-02; Ensuring Only Approved Software is Acquired and Used at GSA
Timeline for Collection & Updates to Associated GSA IT Policy
ย
Starting June 8, 2024, GSA will begin collecting Common Forms for new contracts (including
micro-purchases) and the exercise of contract options, that include the use of software,
regardless of whether or not the software is considered critical.
ย
U.S. General Services Administration
1800 F Street, NW
Washington, DC 20405
www.gsa.gov
ย
The Bulk Electric System segment of the energy industry remains in the dark ages relying on vendor questionnaires for software supply chain risk assessment and continues to believe in "status quo" cybersecurity practices that have failed, and will continue to fail because they lack modern thinking on cybersecurity practices needed to address today's cyber-risk challenges. Modern cybersecurity practices can be seen in the NARUC/DOE CPG proposal and the GSA announcement relying on NIST Guidance and CISA Secure Software attestations from software vendors to evaluate cyber-risks.