From fde74ad826c4906fec07aa509a2a32a7a91af2d0 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Tue, 29 Oct 2024 15:21:24 -0500 Subject: [PATCH 1/2] Create a template response to requests for SSDF attestationss --- docs/SSDF-Request-Response.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 docs/SSDF-Request-Response.md diff --git a/docs/SSDF-Request-Response.md b/docs/SSDF-Request-Response.md new file mode 100644 index 0000000..cbcfb0b --- /dev/null +++ b/docs/SSDF-Request-Response.md @@ -0,0 +1,16 @@ +Dear [AGENCY CONTACT], + +I write in response to [AGENCY]’s request that the Python Software Foundation (PSF) submit a form attesting that its software development practices comport with federal government security standards. For the reasons set forth below, PSF is unable to provide the requested attestation. + +We recognize that, according to recent regulations, federal agencies such as yours have obligations to collect security attestations from the producers of software used by your agency. However, PSF does not supply software directly to any federal agency. Rather, PSF is a nonprofit organization that supports the collaborative development of free and open source software (FOSS) which is distributed freely online. + +FOSS is the foundation for essentially all modern software development. Nearly every software product on the market depends on FOSS frameworks, libraries, applications, and compilers. And in this way, community-developed FOSS finds its way into the supply chain of many federal agencies. + +We presume that PSF software was obtained by your agency or its suppliers from a publicly available source. According to OMB Memorandum M-23-16, Update to Memorandum M-22-18, [Enhancing the Security of the Software Supply Chain through Secure Software Development Practices](https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf), federal agencies are not required to collect attestations from the producers of either (1) “third-party software components that are incorporated into the software end product used by the agency,” or (2) “open-source software freely and directly obtained by Federal agencies.” + +Therefore, our understanding is that your agency does not require an attestation from PSF. We trust this resolves the matter. If you have any questions about our position, you may contact our [TITLE] [NAME] at [CONTACT INFO]. + +Sincerely, +[SIGNATURE] +[NAME] +[TITLE] From 21c1bae878991b4f513abff0f7a4afbee8070c52 Mon Sep 17 00:00:00 2001 From: Ee Durbin Date: Tue, 10 Dec 2024 14:59:58 -0500 Subject: [PATCH 2/2] restructure, add to TOC, add TODO --- docs/{ => reference}/SSDF-Request-Response.md | 10 +++++++--- mkdocs.yml | 2 ++ 2 files changed, 9 insertions(+), 3 deletions(-) rename docs/{ => reference}/SSDF-Request-Response.md (96%) diff --git a/docs/SSDF-Request-Response.md b/docs/reference/SSDF-Request-Response.md similarity index 96% rename from docs/SSDF-Request-Response.md rename to docs/reference/SSDF-Request-Response.md index cbcfb0b..05093de 100644 --- a/docs/SSDF-Request-Response.md +++ b/docs/reference/SSDF-Request-Response.md @@ -1,3 +1,7 @@ +!TODO! The below form letter is... + +--- + Dear [AGENCY CONTACT], I write in response to [AGENCY]’s request that the Python Software Foundation (PSF) submit a form attesting that its software development practices comport with federal government security standards. For the reasons set forth below, PSF is unable to provide the requested attestation. @@ -10,7 +14,7 @@ We presume that PSF software was obtained by your agency or its suppliers from a Therefore, our understanding is that your agency does not require an attestation from PSF. We trust this resolves the matter. If you have any questions about our position, you may contact our [TITLE] [NAME] at [CONTACT INFO]. -Sincerely, -[SIGNATURE] -[NAME] +Sincerely, +[SIGNATURE] +[NAME] [TITLE] diff --git a/mkdocs.yml b/mkdocs.yml index 36b88b5..87241bb 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -50,3 +50,5 @@ nav: - "us.pycon.org/code-of-conduct/index.md" - "us.pycon.org/code-of-conduct/Enforcement-Procedures.md" - "us.pycon.org/code-of-conduct/Procedures-for-Reporting-Incidents.md" + - "Reference": + - "reference/SSDF-Request-Response.md"