We strive to help businesses understand the laws, policies, procedures, and forms that shape our acquisition environment.
The Federal Register is the official journal of the U.S. Federal Government that contains government agency rules, proposed rules, and public notices. Regulations related to the DHS can be found here.
The Federal Acquisition Regulation System regulates the activities of executive agencies within the U.S. Federal Government when procuring goods and services using appropriated funds. The Federal Acquisition Regulation (FAR) is the principal set of rules in the FAR System that govern the U.S. Federal Government’s procurement process. The FAR authorizes agencies to issue deviations from the FAR when necessary to meet the specific needs and requirements of each agency.
The Federal Acquisition Regulation (FAR) authorizes agencies to issue agency acquisition regulations that implement or supplement the FAR and incorporate, together with the FAR, agency policies, procedures, contract clauses, solicitation provisions, and forms. The Department of Homeland Security Acquisition Regulation (HSAR) is the Department’s acquisition regulations. HSAR deviations are authorized, when necessary, to allow contracting activities to deviate from the HSAR. The HSAR Provision & Clause Matrix provides guidance on the use of all provisions and clauses contained in the HSAR.
The Department of Homeland Security Acquisition Manual (HSAM) establishes uniform Department-wide acquisition procedures, which implement or supplement the Federal Acquisition Regulation (FAR), the Homeland Security Acquisition Regulation (HSAR), and other agency regulations and statutory requirements. Deviations from the HSAM are authorized when necessary to allow DHS Components to deviate from the HSAM.
- Notice to Industry as of December 9, 2021: The Government will take no action to enforce the clause implementing requirements of Executive Order 14042, absent further written notice from the agency, where the place of performance identified in the contract is in a U.S. state or outlying area subject to a court order prohibiting the application of requirements pursuant to the Executive Order (hereinafter, “Excluded State or Outlying Area”). In all other circumstances, the Government will enforce the clause, except for contractor employees who perform substantial work on or in connection with a covered contract in an Excluded State or Outlying Area, or in a covered contractor workplace located in an Excluded State or Outlying Area. A current list of such Excluded States and Outlying Areas is maintained at https://www.saferfederalworkforce.gov/contractors/.
- CPO Reminder Regarding Ongoing Testing Requirements for Unvaccinated Contractor Employees
- Low Risk Closeouts: DHS currently has contracts that are considered over-age, as the period of performance or final delivery date of these actions has expired and the time allowed for contract file closeout has elapsed. To clear the backlog of over-age contracts, DHS, in collaboration with its Procurement Innovation Lab (PIL), developed procedures that would enable the Agency to closeout these elapsed actions in an efficient and cost effective manner.
- Service Contract Inventory: Section 743 of Division C of the FY 2010 Consolidated Appropriations Act, P.L. 111-117 requires civilian agencies subject to the Federal Activities Inventory Reform Act of 1998 (Public Law 105-270; 31 U.S.C. 501) to prepare an annual inventory of their service contracts. This site contains Department of Homeland Security service contract inventory reports by fiscal year. The reports meet all Office of Management and Budget requirements on data elements and structure. The service contract inventory supplements include covered service contracts based on the Federal Acquisition Regulation Subpart 4.1703 reporting requirements and as provided by Office of Management and Budget/Office of Federal Procurement Policy. Each analysis and report contain current inventory information and the planned analysis for the coming fiscal year, and covers special interest functions per Office of Management and Budget/Office of Federal Procurement Policy guidance. The government-wide inventory can be found here. The government-wide inventory can be filtered to display the inventory data for DHS.
- FAIR Act: The Federal Activities Inventory Reform Act of 1998 (Public Law 105-270), known as the FAIR Act, was enacted by Congress and requires executive agencies to make an annual accounting of government personnel by location, function, and position performing either commercial activities or inherently governmental activities and submit them to the Office of Management and Budget (OMB). An activity function code is used to describe the work performed by each full time employee.
- The forms listed in this section, DHS Forms 700-1, 700-2 and 700-3, are used primarily for the closeout of cost-reimbursement, time-and-materials, and labor-hour contracts. The forms may also be used for closeout of other contract types to protect the Government's interest. DHS Form 700-4 is used by employees claiming restitution under the contract.
- The National Defense Authorization Act for Fiscal Year 2017, Title VIII, § 880 (Pub. L. 114-328), Pilot Programs for Authority to Acquire Innovative Commercial Items Using General Solicitation Competitive Procedures, authorizes the Department of Homeland Security (DHS) to carry out a “commercial solutions opening pilot program” (CSOP) to competitively procure innovative commercial items. The DHS Commercial Solutions Opening Pilot Program Guide contains the Department’s policy and procedures on the use of the authority.
Information on the Office of Inspector General’s (OIG) Whistleblower Protection Program.
- DHS Cyber Hygiene Assessment Instrument April 2023. In 2015, the Department of Homeland Security (DHS) incorporated a cyber hygiene clause known as Homeland Security Acquisition Regulation (HSAR) Class Deviation 15-01, Safeguarding Sensitive Information into its applicable contracts. This mandates contractor compliance with DHS sensitive systems information protection standards and security requirements. The Department’s end goal has been to develop a means of ensuring each participating contractor has appropriate cybersecurity and cyber hygiene practices in place.
- Leveraging the results of the Department’s FY 2022 Cyber Hygiene Pathfinder Assessment, DHS has established a FY 2023 Cyber Hygiene Assessment instrument to gauge the cybersecurity maturity of existing DHS contractors, where the HSAR Class Deviation 15-01, Safeguarding Sensitive Information clause is applicable. The Department will utilize the information collected from this assessment as a critical input to its larger cyber hygiene management program.
- Organizations that have been identified as part of the population of DHS vendors with the applicable HSAR Class Deviation 15-01, Safeguarding Sensitive Information clause in one or more of their contracts or orders have been provided direct email notification of the requirement to complete the Cyber Hygiene Assessment.
- Identified vendors can utilize the Frequently Asked Questions page here: https://www.dhs.gov/dhs-cyber-hygiene-assessment-faq.
DHS.gov Frequently Asked Questions (FAQs)
Secure Software Attestation in support of OMB M-22-18 and M-23-16
Introduction
Pursuant to Executive Order (EO) 14028, Improving the Nation’s Cyber Security, the Office of Management and Budget (OMB) has issued memorandums M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices, issued on September 14, 2022 and M-23-16, Update to Memorandum M-22-18, issued on June 9, 2023. These memorandums outline the requirements for Federal Departments and Agencies to collect secure software attestations from software producers and provide supplemental guidance on agencies’ use of Plan of Actions and Milestones (POA&Ms).
Question 1: How can I tell if my company is required to submit an attestation form?
Per OMB, if your organization supplies software products to the Federal Government which meet any of the criteria below, you must submit a signed attestation form.
- The software was developed AFTER September 14, 2022 (the effective date of M-22-18);
- The software was developed prior to September 14, 2022, but was modified by major version changes (e.g., using a semantic versioning schema of Major.Minor.Patch, the software version number goes from 2.5 to 3.0) after September 14, 2022; or
- Your organization delivers continuous changes to the software code (as is the case for software-as-a-service products or other products using continuous delivery/continuous deployment).
According to M-23-16 and M-22-18, attestation forms are required for organizations that produce “software”, which includes firmware, operating systems, applications, application services (e.g., cloud-based software), and products containing software.
Question 2: Are there any exemptions to this requirement?
Per M-23-16, Software produced by your organization is EXEMPT from the attestation requirement if:
- The software was developed PRIOR to September 14, 2022, and HAS NOT been modified by major version changes (e.g., using a semantic versioning schema of Major.Minor.Patch);
- The software is a THIRD PARTY COMPONENT incorporated into a software end product used by DHS. Attestations are only required for end product software utilized by the DHS;
- The software is freely obtained and publicly available proprietary software;
- The software was developed in-house for the Government.
Question 3: Where can I find the Secure Software Development Attestation Form?
The form can be found at: https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form.
Question 4: How do I submit my company’s signed attestation form?
Completed forms must be submitted to the Repository for Software Attestations and Artifacts (RSAA) at https://softwaresecurity.cisa.gov.
A user guide for the RSAA portal is available at https://www.cisa.gov/resources-tools/resources/repository-software-attestations-and-artifacts-rsaa-user-guide
Question 5: When is my company’s signed attestation form due?
Attestations for software identified as critical in alignment with the National Institute of Standards and Technology (NIST) definition of critical software must be submitted by June 8th, 2024.
Attestations for all other software must be submitted by September 8th, 2024.
Please see Question 6 for the definition of Critical Software.
Question 6: What is the definition of “Critical Software”?
Critical software, as defined by NIST means any software that has, or has direct software dependencies upon, one or more components with at least one of the following attributes:
- Is designed to run with elevated privilege or manage privileges;
- Has direct or privileged access to networking or computing resources;
- Is designed to control access to data or operational technology;
- Performs a function critical to trust; or,
- Operates outside of normal trust boundaries with privileged access.
A full description and discussion of what constitutes Critical Software can be found on the NIST website at: https://www.nist.gov/document/white-paper-critical-software-enhancing-security-software-supply-chain
Question 7: What if my company produces multiple pieces of software used by the Federal Government?
The Secure Software Development Form can be completed for an individual software product, multiple software products, or as a Company-wide attestation. By submitting a company-wide attestation, you attest that the secure software development practices outlined in the Secure Software Attestation Form are integrated throughout your organization’s software development lifecycle for all products.
Question 8: What if my organization is unable to attest to some or all of the secure software development practices outlined on the attestation form?
If you are unable to attest to some or all of the secure software development practices outline on the attestation form, attach a Plan of Actions and Milestones (POA&M) in RSAA, and send an email to DHS.SoftwareAttestation@hq.dhs.gov stating a POA&M has been uploaded.
Question 9: I support multiple Departments and/or Agencies. Do I need to submit an attestation form for each Department/Agency?
If you submit a company-wide attestation form to the Repository for Software Attestations and Artifacts (RSAA), you do not need to submit a form to each agency. You can associate your attestation with multiple agencies in RSAA. Additional detail can be found in the Repository for Software Attestations and Artifacts (RSAA) User Guide.
Question 10: I have additional questions. Who can I contact?
For questions relating to RSAA functionality, please contact TOC@cisa.dhs.gov.
For questions relating to OMB M-22-18 or M-23-16, please contact the OMB Office of the Federal Chief Information Officer (OFCIO) at ofcio@omb.eop.gov
For any additional questions, please contact DHS at DHS.SoftwareAttestation@hq.dhs.gov.
For inquiries regarding DHS acquisition policy matters, please contact us at acquisition.policy@hq.dhs.gov