CFPB Software Attestation needed: JGraph

[davidjgraph]

Received this. Maybe someone from the USA knows what it means. None of us live or work in the USA, so we're ignoring.

Dear JGraph Ltd.,

On September 14, 2022, The Biden Administration issued Office of Management and Budget (OMB) memorandum M22-18 Enhancing the Security of the Software Supply Chain through Secure Software Development Practices and subsequent OMB memorandum M23-16 Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices . These policies set forth software producer requirements to self-attest to practicing secure software development standards and practices as defined in The National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF), NIST Special Publication (SP) 800-218 and the NIST Software Supply Chain Security Guidance.

Per OMB memo 22-18, Software Producers are to provide the Consumer Financial Protection Bureau (CFPB) a signed self-attestation letter per the requirements as defined in the attached secure software attestation form. Deadlines for returning the form, requesting an extension or waiver for any software (both critical and non-critical) must be provided to CFPB by August 27, 2024. If an extension is required, a request must be provided to CFPB with the planned date to meet the OMB memo requirements. If a waiver is required, the software producer must provide a waiver justification and plan of action milestones (POA&M) to mitigate the secure software development risks. Waivers will be granted on a case-by-case basis from The Director of OMB, in consultation with the Assistant to the President and National Security Advisor (APNSA).

*Software for this reporting period for your organization:

1. Draw.io

Preference is for a company-wide attestation, removing the requirement to obtain future attestations due to software version changes.

For assistance, contact CFPB Software Attestation mailbox at