Secure Software Attestation FAQ

About Secure Software Attestations

Q: What is a Secure Software Attestation?
A: Secure software development attestations or “software attestations” are signed forms whereby a software producer or an independent third-party assessor attests that the software producer consistently uses the secure software development practices outlined in the U.S. government’s Secure Software Development Attestation Framework

See: https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form

Q: Why is Cisco providing Secure Software Attestations?
A: In May 2021, the Biden Administration issued an Executive Order on Improving the Nation’s Critical Infrastructure (EO 14028). The EO's goals included improving cybersecurity standards and software supply chain security for US federal agencies, expanding public/private partnerships, and improving transparency and information sharing. We support the U.S. government's directives to improve critical infrastructure and to address complex multidimensional cybersecurity challenges affecting the world. Resulting from the EO, US federal agencies are obligated to align with the Secure Software Development Framework (NIST SP 800-218) and to either self-attest to product conformance or have an independent Third-Party Assessment Organization (3PAO) attest on the software producer’s behalf. Software vendors that cannot attest to meeting the requirements may instead provide the requesting USG agency with a Plan of Action and Milestones (POAM).

Learn more at https://www.cisco.com/c/en/us/about/trust-center/transparency.html

Q: Where can I go to get additional information about Cisco’s Secure Software Attestation Policy?
A: See https://www.cisco.com/c/en/us/about/trust-center/transparency.html

Q: How do I obtain a Secure Software Attestation for Cisco products and services?
A: Cisco is providing Secure Software Development Attestations to US federal agencies to enable their compliance with the Executive Order. Cisco does not provide attestations to other customers or partners.

If you are a US government employee in need of a Cisco attestation, first search CISA’s Repository for Software Attestations and Artifacts (RSAA) database. If an attestation you need is not present in the RSAA database, contact your Cisco Sales Account Manager to obtain the Secure Software Attestation(s).

For US Government employees in need of assistance to locate your Sales Account Manager, send an email to: sw-attestation-accountmgr@external.cisco.com

Q: Is there a list of all available Secure Software Attestations?
A: Cisco is providing Secure Software Development Attestations to US federal agencies to enable their compliance with the Executive Order. Cisco does not provide attestations to other customers or partners.

For assistance in locating your Sales Account Manager, email:
sw-attestation-accountmgr@external.cisco.com

Q: Is there a place I can go to find a list of Cisco Secure Software Attestations without contacting my Sales Account Manager?
A: Cisco is providing Secure Software Development Attestations to US federal agencies to enable their compliance with the Executive Order. Cisco does not provide attestations to other customers or partners.

For assistance in locating your Sales Account Manager, send an email to:
sw-attestation-accountmgr@external.cisco.com

Q: What information is required to request a Secure Software Attestation?
A: You will need to provide the following information to obtain a Secure Software Attestation:

Software Type
Platform Group
Software Version (not required but will help to accelerate requests)

Receiving the Secure Software Attestation

Q: How can I get the status of my request?
A: Contact your Sales Account Manager to understand the status of your Secure Software Attestation request.

Q: How can I get a Software Bill of Materials (SBOM) for software with a Secure Software Development Attestation?
A: You can request a SBOM through the Cisco SBOM Request form:

Visit: https://cisco.com/go/getsbom

Q: How can I get security vulnerability information for software with a Secure Software Development Attestation?
A: You can request Vulnerability Exploitability eXchange (VEX) statuses through the Cisco Vulnerability Repository (CVR).

See: https://sec.cloudapps.cisco.com/security/center/cvr

Denial of a Secure Software Attestation Request

Q: My Secure Software Attestation request was denied because "it falls outside the EO (Executive Order) window." What is the "EO window?"
A: The Office of Management and Budget (OMB) Memorandum M-22-18 was issued on September 14, 2022, and the requirements in that memorandum apply to software developed or modified with major changes after that date, and software offered on a continuous delivery/deployment basis. Cisco will not provide Secure Software Attestations for software falling outside that window

Q: My Secure Software Attestation request was denied because the software is End of Service, End of Life, or Last Day of Support. Why can’t I receive an attestation for this software?
A: All products reach the end of their life cycle for several reasons including market demands, technology innovation and development-driven changes, or product maturity and replacement with functionally richer technology. You can learn more about Cisco’s End of Life policy here.

https://www.cisco.com/c/en/us/products/eos-eol-policy.html

See the comprehensive list of End of Service and End of Life for reference.

https://www.cisco.com/c/en/us/products/eos-eol-listing.html

Cisco strongly encourages that you upgrade this product(s) and/or software to more recent offerings to avoid potential vulnerabilities to increase the resiliency of your network.

Cisco and other industry leaders launched the Network Resilience initiative to promote awareness and amplify the importance of taking urgent action to protect critical infrastructure that is no longer maintained by the vendor.

Learn more: https://www.cisco.com/c/en/us/about/trust-center/network-resilience.html