The Cybersecurity and Infrastructure Security Agency (CISA) released a new guide to help government agencies make informed decisions when acquiring software products. The “Software Acquisition Guide for Government Enterprise Consumers” aims to address software assurance and cybersecurity transparency challenges in the acquisition process. Developed by the Information and Communications Technology Supply Chain Risk Management Task Force, the guide consolidates various software assurance guidelines and frameworks into a single, user-friendly document.
It focuses on software lifecycle activities and provides critical federal guidance, including CISA’s “Secure by Design” principles and a list of questions that should be addressed to mitigate risk exposure from third-party software. Mona Harrington, CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair, emphasized the guide’s purpose. The task force created the guide for acquisition and procurement organizations to initiate discussions with their cybersecurity staff and enterprise risk owners, such as Chief Information Officers and Chief Information Security Officers, to ensure the security of their software acquisitions,” Harrington said.
Recent cyberattacks exploiting vulnerabilities within software supply chains have impacted both the private sector and government enterprises, highlighting the need to rebalance cybersecurity responsibilities between software suppliers and consumers.
CISA’s guide for secure acquisitions
Stakeholders can make more informed decisions when acquiring software products and services by promoting candid discussions on software supply chain processes.
CISA stated, “Consumers, demanding security be built into the products and services they purchase, can function as the market signal, driving systemic changes across the software supplier ecosystem.
The guide provides detailed descriptions of software development controls, software deployment controls, and vulnerability management processes. It advises agencies to request vendor information about specific software supply chain security controls. It points out the significant risks posed by the lack of visibility into third-party development teams’ design, development, and implementation decisions. The release of this guide coincides with evolving software security requirements and the finalized secure software attestation form mandated earlier this year by the White House.
Agencies must ensure their software suppliers complete this form before proceeding with purchases. The task force carefully aligned the guide with existing software security efforts, including the attestation form. The document describes key questions intended to inform requirements, contracting, and acquisition approaches, stating, “The information and insights gathered from suppliers help raise the bar on cybersecurity transparency.
Improving the security of the government’s software supply chain is part of President Joe Biden’s May 2021 cybersecurity executive order, issued in response to the Russian hackers’ breach of multiple federal agencies through enterprise software supplier SolarWinds.
