<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

The U.S. government has announced a new requirement that will mandate organizations selling software to the government self attest that they follow the secure software development practices outlined in the NIST Secure Software Development Framework (SSDF).

Dates for compliance are approaching soon

In memorandum M-22-18, the government outlines dates by which these self-attestations will be required. The direct follow-up memorandum M-23-16 adjusted the initial proposed dates—the end of 2023 for critical software and early 2024 for all other software.

Self-attestation is required for all software suppliers

Going forward, federal agencies will only be able to buy software from providers who can attest to complying with the NIST guidance.

How Tidelift can help

Watch a demo to learn how Tidelift can help your organization meet attestation requirements for the open source components in your software supply chain


Many organizations already have internal controls and processes in place that will help them complete the NIST self-attestation requirements for the code they write themselves. Tidelift helps you complete self-attestation requirements for the open source dependencies in your applications (which in many codebases makes up 75% or more of the code).

The Tidelift Subscription is a complete solution for managing open source, including the tools, data, and strategies you need to document your open source software supply chain security practices.

Tidelift pays the maintainers behind thousands of the most commonly used open source packages to attest their projects are developed using secure software development practices. Our subscription includes:

The only source for first-hand attestation data from the maintainers behind thousands of open source packages that go into your software, aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards.

A standardized attestations report, to be used as evidence that the open source dependencies in your organization’s applications follow secure software development best practices.

A solution for dynamically tracking attestations for open source components going into your product, and keeping these attestations current automatically.

Screenshot 2023-11-15 at 2.07.21 PM


From a security remediation point of view... no other vendor came close to the level of detail Tidelift provides—because Tidelift works directly with the open source maintainers of the projects EMPLOYERS and other enterprise organizations depend on.

“That relationship is pure gold. The openness you have with the open source maintainers and the ability to talk with the consumers about how we’re using their products—we have a direct line of communication from their fixes and what versions we should be using.”