Two-day intensive on the NIST Secure Software Development Framework (SSDF), Software Bill of Materials generation, and the OMB M-22-18 attestation requirements for federal contractors. Covers tooling, format selection (SPDX vs CycloneDX), vulnerability disclosure, and CISA self-attestation form completion.
Federal contractors face mounting pressure to demonstrate that the software they develop and deliver meets rigorous security standards. This two-day intensive gives compliance practitioners the framework knowledge, hands-on tooling exposure, and completed artifacts they need to satisfy those demands — starting with the controls that actually matter to your agency customers and contracting officers.
We open with a structured walkthrough of the NIST SSDF (NIST SP 800-218), covering its four practice groups: Prepare the Organization, Protect the Software, Produce Well-Secured Software, and Respond to Vulnerabilities. Participants learn how to map existing development and security practices to SSDF tasks and identify gaps that would surface during a federal attestation review. Emphasis is placed on evidence collection — what documentation you need to substantiate each practice area before you sign anything.
Day one closes with a practical deep-dive into SBOM generation. We compare the two dominant machine-readable formats — SPDX and CycloneDX — examining the structural differences, federal agency preferences, and tool ecosystem behind each. You will work through real generation scenarios using representative open-source and commercial tooling, understand minimum element requirements as defined by NTIA guidance, and develop a format-selection rationale you can defend to a contracting officer or agency reviewer.
Day two centers on OMB Memorandum M-22-18, which requires federal agencies to obtain software attestation from producers of software used by the federal government. We dissect what the memorandum actually requires, who it applies to, and how attestation obligations flow down to contractors and subcontractors. Participants walk through the CISA self-attestation form field by field, learning what each declaration commits your organization to and how to gather the supporting evidence before your authorized official signs. We also cover the role of Software Artifacts — Plans of Action and Milestones (POA&Ms) and third-party assessments — when a practice cannot be fully attested.
Attestation is not a one-time event. The final module addresses vulnerability disclosure obligations, coordinated disclosure processes, and how to maintain SBOM currency as your software evolves. We discuss how vulnerability findings in downstream components affect your attestation posture and what remediation documentation keeps you in good standing with federal customers.
This session is designed for the practitioners doing the work and the leaders responsible for the outcomes. If your organization develops, integrates, or delivers software under federal contracts, the following roles will find immediate, applicable value:
Managers approving this training: your team members will return with completed templates, a defensible attestation evidence package, and a clear understanding of where your current practices fall short — before a contracting officer finds out first.
Software supply chain security does not exist in isolation. Organizations that complete this training often find it connects directly to broader compliance program development efforts, particularly where software attestation intersects with existing risk management frameworks and vendor oversight responsibilities. Cleared Systems offers follow-on advisory support to help your team move from training to implemented, audit-ready controls. Visit our engagement models page to explore how we work with defense contractors at every stage of compliance maturity.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
