On October 14, 2025, CISA, acting for DHS, published "Software Assurance Expectations for Federal Acquisition: 2025 Update." It is the most consequential federal guidance on software supply chain since the OMB M-22-18 attestation memorandum. The document refreshes M-22-18 expectations for agencies buying software, reshapes the self-attestation form (now version 3), and for the first time binds secure-by-design pledge commitments to concrete acquisition language. It also introduces a tiered requirement model: "critical" software vendors must produce SBOMs in CycloneDX 1.6 or SPDX 3.0, include provenance attestations, and support the new Federal Procurement Data System (FPDS) SBOM transmittal path starting March 1, 2026. For any vendor selling to US federal buyers or their primes, the practical takeaway is that the rules just got more specific. Here is what changed and what to do.
What are the three tiers in the new guidance?
Tier 1 is "critical software" as defined by NIST SP 800-161r1 plus CISA's 2024 critical-software list, covering identity, OS, hypervisor, EDR, and software used to develop software. Tier 2 is "mission-enabling" software, including SaaS supporting CUI. Tier 3 is everything else. Tier 1 must produce an SBOM, a build provenance attestation (SLSA Level 2 minimum), and a self-attestation v3. Tier 2 must produce an SBOM and self-attestation. Tier 3 must provide self-attestation only. The tiering is vendor-driven but auditable by the buying agency, with CISA reserving a right of review.
What changed about the self-attestation form?
Version 3, effective November 1, 2025, adds three concrete controls beyond v1 and v2: (a) verified proof of FIDO2 on privileged developer accounts, (b) evidence of automated vulnerability scanning in CI, and (c) explicit disclosure of the use of AI-generated code with provenance. The v3 form also shortens the attestation window from one year to nine months for Tier 1 products, which will hit most vendors' renewal calendars in mid-2026. GSA will reject v1 and v2 attestations on renewals after January 15, 2026.
How are SBOMs being transmitted and validated?
Through a new FPDS field plus a CISA-operated intake API at sbom.cisa.gov (IP-restricted for federal use), starting March 1, 2026. Acceptable formats are CycloneDX 1.6 and SPDX 3.0; CycloneDX 1.4 and SPDX 2.3 are accepted only until September 30, 2026. Validation includes schema compliance, component-to-purl resolution, and a cross-check against the NVD and KEV catalogs at ingestion time. Vendors whose SBOMs fail validation receive a 30-day cure window before the contracting officer is notified.
// Example of a required attestation evidence bundle
{
"sbom": "cyclonedx-1.6.json",
"provenance": "slsa-2-attestation.intoto.jsonl",
"attestation_form": "self-attestation-v3.pdf",
"fido2_evidence": "privileged-users-roster.csv"
}
How does this interact with secure-by-design pledges?
For vendors that signed the April 2024 CISA Secure-by-Design pledge, six of the seven pledge goals are now incorporated by reference into federal acquisition language for Tier 1 products. MFA, vulnerability disclosure, default-secure configurations, security patches, secure development practices, and transparent CVE reporting are contractually expected. Reducing the prevalence of classes of vulnerability (goal five) is referenced but not yet enforced as a contract term. This is the first time a voluntary pledge has been translated into binding procurement language without Congressional action.
What is the realistic timeline for vendors?
Key dates: November 1, 2025, self-attestation v3 in use. January 15, 2026, last day agencies accept v1 or v2 on renewals. March 1, 2026, FPDS SBOM transmittal goes live. September 30, 2026, last day CycloneDX 1.4 and SPDX 2.3 are accepted. Vendors should treat Q4 2025 as the planning quarter, Q1 2026 as the remediation quarter, and be ready for audits by mid-2026. Agencies have also been told to update sole-source justifications, which may surface incumbent-vendor exceptions in the interim.
How Safeguard Helps
Safeguard generates CycloneDX 1.6 and SPDX 3.0 SBOMs natively, attaches SLSA Level 2 and 3 build provenance attestations, and maintains an evidence bundle aligned to self-attestation v3, including FIDO2 rosters and CI scan logs. When CISA opens the FPDS SBOM transmittal endpoint on March 1, 2026, customers can push artifacts directly from Safeguard to the intake API with one policy-gated action. The platform also maps findings to the Secure-by-Design pledge goals, so vendors can track, in a single dashboard, where they stand against contract-binding expectations.