Chainguard Signs CISA’s Secure Software Development Attestation Form

We’re thrilled to announce that Chainguard has officially signed the Cybersecurity & Infrastructure Agency’s (CISA) Secure Software Development Attestation Form. Everything we do at Chainguard is done with security top of mind. Submitting this attestation shows that our products are in line with the National Institute of Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) and the software supply chain security requirements in the Office of Management and Budget’s (OMB) Memorandum M-22-18. In short, we’re attesting to the security of Chainguard products for federal government users.

Curious why this matters? Let’s start with a quick history lesson.

Where did CISA’s Self Attestation come from?

In 2020, the infamous Solarwinds attack happened, a supply chain attack on the software build system used by Solarwinds, an IT infrastructure company that was widely used by several major U.S. government agencies. The attackers compromised the build process and injected malicious code into updates that were distributed to SolarWinds' customers. This attack was just the beginning; we’ve seen other types of software supply chain attacks in recent years, including attacks on PyPI packages, containers, and upstream code. These attacks have resulted in a much greater focus on software supply chain security as a whole at the federal level.

Several actions have been taken by the U.S. federal government to guide companies toward better software supply chain security, including Executive Order (EO) 14028 in May 2021 and the OMB’s M-22-18 and M-23-16 in subsequent years. These actions culminated in the creation of CISA’s Self Attestation Form, which first appeared for review in April 2023, and was officially released in March 2024. You can think of this form as a “one stop shop” to show that a product meets all the requirements outlined in the White House’s various software supply chain security standards.

Requirements

By submitting the CISA Self Attestation Form, we’re attesting to the security initiatives mentioned above. This includes things like:

• Our software is developed and built in secure environments.

• We’ve made a good-faith effort to maintain trusted source code supply chains.

• We employ automated tools or comparable processes in a good-faith effort to maintain trusted source code supply chains.

• We maintain provenance data for internal and third-party code incorporated into the software.

• We employ automated tools or comparable processes that check for security vulnerabilities.

If you’re already aware of Chainguard, you’re probably familiar with all of these concepts – they’re the DNA of the company. Our mission is to be the safe source for open source, so it’s only right that we hold ourselves to the highest standards possible when it comes to security. And with our submission, we are excited to help enable other organizations to meet their desired compliance needs, whether it’s for use at the federal level, or other use cases.

Why Signing CISA’s Self Attestation is Important

At Chainguard, many of the focus areas in CISA’s Self Attestation Form are important to not only us, but to our customers. Being able to attest to a secure development environment in our build processes is critical for maintaining trust with our customers.

Our products are designed to help our customers build a secure software supply chain. Chainguard Images have zero vulnerabilities (CVEs) and come with verifiable signatures and full build-time SBOMs. We fully believe in these best practices, and our signature of the Self Attestation Form is another way for us to show our support for our customers and their contributions to a better way of developing software – one where security and innovation work together.

Chainguard: Building a Secure Software Supply Chain

Our team at Chainguard has a lot of experience and expertise in software supply chain security, and how the federal government perceives it. In the past, we’ve shared some guidance for CISOs on what these requirements mean, and how to explain it to company boards. We also signed CISA’s Secure By Design pledge – committing to several important security goals. We take our own security seriously, so we can make sure yours is taken seriously too.

Learn more about Chainguard Images, and reach out if you are interested in hearing more about the steps we are taking in securing the software supply chain.