To Attest or Not to Attest: Questions from the Trump Cyber Executive Order
As we head into the summer, cybersecurity is heating up. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about ransomware actors targeting a vulnerability in a utility billing software. Banks are raising the alarm around the cybersecurity and data protection practices at federal regulatory agencies. And the Trump Administration released its first Executive Order on cybersecurity of his second term.
Although the Executive Order (EO) maintains a significant portion of the Biden Administration’s cybersecurity EO 14144, one key area in which the Trump Administration pivots is in the government’s approach to secure software development attestation. In this new Executive Order, the Trump Administration rescinds several requirements related to self-attestation for secure software development. The Office of Management and Budget (OMB) will no longer work to standardize the format of reporting to support attestations, CISA will no longer validate the evidence, and the Office of National Cyber Director will not publish the results of validation. All of these changes leave many to question: Do we still need to attest to secure software development at all?
The simple answer is yes. Under President Trump’s new EO, government software providers will still be required to submit the self-attestation form based on the National Institutes of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF). As part of that requirement, providers have to attest to having a vulnerability disclosure program (VDP). A VDP establishes a direct channel for external parties to report discovered vulnerabilities before malicious actors find and exploit them. It serves as a digital neighborhood watch. According to the White House Office of Management and Budget, vulnerability disclosure policies “are among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment.” During the development of the self-attestation form, HackerOne provided our expertise to the federal government, highlighting the value of VDPs for software providers.
In short, the self-attestation form is still required for providers of covered software -- for now. President Trump’s EO also tasks NIST with establishing an industry consortium at the National Cybersecurity Center of Excellence to develop updated guidance for secure software based on the SSDF by August 1, 2025. Thus, additional changes to the self-attestation requirement may be possible. Whatever the future of the SSDF and self-attestation, VDPs must remain a fundamental component of how we secure software–both at the agency level and among federal contractors.
More broadly, as EOs have been leveraged to drive cybersecurity forward, a pivot on secure software by the Trump Administration illustrates the potential downside of reliance on executive orders as a policy mechanism to advance cybersecurity – that they can be altered significantly with the stroke of a president’s pen.
To ensure a lasting impact on improving federal network cybersecurity, one thing is clear – legislation is the only way to ensure VDPs remain a baseline requirement for all federal contractors despite potential changes in administration priorities. Congress should pass the bipartisan Federal Contractor Cybersecurity Vulnerability Reduction Act, which would require federal contractors to implement a vulnerability disclosure policy, bringing the practices of contractors in line with those of the agencies they serve. This important legislation has been passed by the House and awaits action in the Senate.
