The Cybersecurity and Infrastructure Security Agency (CISA) announced on Thursday the release of its “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle.”
The guide focuses on the “Secure by Demand” elements by providing recommendations for agency personnel to engage in more relevant discussions so that “better, risk-informed decisions can be made associated with acquisition and procurement of software and cyber-physical products.”
According to CISA, the guide was developed in response to the core challenges of software assurance and cybersecurity transparency in the acquisition process, focusing primarily on software lifecycle activities.
Developed by the Information and Communications Technology (ICT) SCRM Task Force, the 61-page guide consolidates relevant software assurance guidance and frameworks into a single document, enabling stakeholders to easily navigate through these requirements in a clear, concise manner.
The ICT SCRM Task Force also developed an accompanying spreadsheet that complements the guide and assists users with navigating the document.
“The ICT SCRM Task Force Software Assurance Working Group created the guide for acquisition and procurement organizations to initiate discussions with their cybersecurity staff and enterprise risk owners, such as Chief Information Officers and Chief Information Security Officers, to ensure the security of their software acquisitions,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington.
“It provides critical federal guidance, including CISA’s Secure by Design principles, and a list of questions that should be addressed to mitigate risk exposure from software obtained from third parties,” Harrington added.
Many well-known cyberattacks have exploited vulnerabilities and weaknesses in software and within software supply chains in proprietary and open-source software, adversely impacting private sector and government enterprises, CISA said. This recurring issue prompted an increased need to rebalance responsibilities for cybersecurity risks between software suppliers and consumers.
By engaging in candid discussions of software supply chain processes, better, risk-informed decisions can be made for the acquisition and procurement of software products and services.
“Consumers, demanding security be built into the products and services they purchase, can function as the market signal, driving systemic changes across the software supplier ecosystem,” the agency said.