SolarWinds submitted its self-attestation in alignment with CISA’s and OMB’s requirements on March 20, 2024, becoming the first software provider to attest to meeting these requirements for federal government customers and all users. We initially committed to this in an announcement made on July 18, 2023.
On March 11, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) released the Secure Software Development Attestation Form and announced its new Repository for Software Attestations and Artifacts (RSAA), which launched on March 18.
SolarWinds submitted self-attestation for the following offerings:
- Hybrid Cloud Observability version 2024.1
- Hybrid Cloud Observability (formerly Orion) modules Network Performance Monitor (NPM), NetFlow Traffic Analyzer (NTA), Network Configuration Manager (NCM), VoIP & Network Quality Manager (VNQM), IP Address Manager (IPAM), User Device Tracker (UDT), Virtualization Manager (VMAN), Log Analyzer, Server & Application Monitor (SAM), Server Configuration Monitor (SCM), Storage Resource Monitor (SRM), and Web Performance Monitor (WPM)
- SolarWinds Observability as of March 5, 2024
- IT Service Management as of March 17, 2024
OMB issued memorandum M-22-18 on September 14, 2022, with the aim of ensuring software security for the U.S. federal government’s information and communications technology products and services and protecting these systems from nation-state and criminal actors seeking to disrupt our nation’s critical functions and reduce overall risk from cyberattacks. It requires federal agencies to use software only from producers who can attest to complying with the government-specified secure software development practices, as described in the NIST Guidance.
On June 9, 2023, OMB issued memorandum M-23-16 to reinforce these requirements, reaffirm the importance of secure software development practices, and extend the timelines for agencies to collect attestations from software producers. It supplemented guidance for requirements and provided guidance on how agencies should act when a software producer cannot provide the required attestation but plans to do so. The RSAA launched March 18 serves to satisfy the requirements set forth in OMB’s memoranda and provides a searchable record of software providers’ attestations.
This self-attestation is another step in the SolarWinds Secure by Design initiative, launched in 2021 in response to the SUNBURST cyberattack. This initiative is a multi-pronged strategic approach featuring proprietary technology, products, and processes designed to further strengthen the company and industry at large.
This blog contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding our self-attestation form. These forward-looking statements are based on management's beliefs and assumptions and on information currently available to management. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties, and other factors that may cause actual results, performance, or achievements to be materially different from any future results, performance, or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include but are not limited to, the risks and uncertainties described more fully in documents filed with or furnished to the Securities and Exchange Commission, including the risk factors discussed in our Annual Report on Form 10-K for the period ended December 31, 2023, filed on February 16, 2024. All information provided in this release is as of the date hereof, and SolarWinds undertakes no duty to update this information except as required by law.
