Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a template response to requests for SSDF attestationss #26

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create a template response to requests for SSDF attestationss #26

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/SSDF-Request-Response.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
Dear [AGENCY CONTACT],

I write in response to [AGENCY]’s request that the Python Software Foundation (PSF) submit a form attesting that its software development practices comport with federal government security standards. For the reasons set forth below, PSF is unable to provide the requested attestation.

We recognize that, according to recent regulations, federal agencies such as yours have obligations to collect security attestations from the producers of software used by your agency. However, PSF does not supply software directly to any federal agency. Rather, PSF is a nonprofit organization that supports the collaborative development of free and open source software (FOSS) which is distributed freely online.

FOSS is the foundation for essentially all modern software development. Nearly every software product on the market depends on FOSS frameworks, libraries, applications, and compilers. And in this way, community-developed FOSS finds its way into the supply chain of many federal agencies.

We presume that PSF software was obtained by your agency or its suppliers from a publicly available source. According to OMB Memorandum M-23-16, Update to Memorandum M-22-18, [Enhancing the Security of the Software Supply Chain through Secure Software Development Practices](https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf), federal agencies are not required to collect attestations from the producers of either (1) “third-party software components that are incorporated into the software end product used by the agency,” or (2) “open-source software freely and directly obtained by Federal agencies.”

Therefore, our understanding is that your agency does not require an attestation from PSF. We trust this resolves the matter. If you have any questions about our position, you may contact our [TITLE] [NAME] at [CONTACT INFO].

Sincerely,
[SIGNATURE]
[NAME]
[TITLE]