A new FAR rule requires software suppliers to federal agencies to submit secure development attestations, creating training requirements for both agency contracting officers and contractor software development teams.
The Federal Acquisition Regulatory Council published a final FAR rule implementing the secure software development attestation requirements from Executive Order 14028. The rule requires all software suppliers to the federal government to submit self-attestations confirming compliance with NIST Secure Software Development Framework practices before contract award.
The attestation requirement covers 18 specific SSDF practices including separation of development environments, supply chain vulnerability management, automated testing integration, and Software Bill of Materials generation. Suppliers who cannot attest to all 18 practices must submit Plan of Action and Milestones documents.
Agency contracting officers are responsible for evaluating the adequacy of supplier attestations as part of the responsibility determination process, creating a significant training need: COs must understand SSDF practices well enough to assess whether attestations are complete and credible.
For contractors, the rule creates immediate compliance obligations and training needs for development teams that may be unfamiliar with formal secure development practices. Medium and small government contractors are expected to face the greatest implementation challenges.
GovAcademy's Secure Software Supply Chain course (GA-025) covers the SSDF practices required for contractor attestation, SBOM generation standards, and supply chain risk assessment methodology. The Secure Government Web Applications course (GA-010) addresses the secure coding practices that underpin several SSDF requirements.
For contracting officers, GovAcademy's Public Procurement Modernization course (GA-004) has been updated with modules covering SSDF attestation evaluation, common attestation red flags, and the POA&M review process for suppliers with identified gaps.
Industry associations representing government contractors have engaged GovAcademy for enterprise training agreements covering the SSDF practices required for attestation compliance.