Press Release

CISA Releases Secure by Demand Guide

Released

Helps organizations buying software understand manufacturers approach to cybersecurity

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released today Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem which helps organizations buying software better understand their software manufacturers approach to cybersecurity and ensure that secure by design is one of their core considerations.

An organization’s acquisition staff often has a general understanding of the core cybersecurity requirements for a particular technology acquisition. However, they frequently don’t assess whether a given supplier has practices and policies in place to ensure that security is a core consideration from the earliest stages of the product development lifecycle.

This guide provides organizations with questions to ask when buying software, considerations to integrate product security into various stages of the procurement lifecycle, and resources to assess product security maturity in line with secure by design principles. Informed by the threat landscape, it provides categorized sets of actions that, if done correctly will demonstrate to the customer that the software manufacturer is taking actions that will drive down exploitable defects and misconfigurations – a safer product for the customer.

“We are glad to see leading technology vendors recognize that their products need to be more secure and voluntarily join the Secure by Design pledge. Businesses can also help move the needle by making better risk-informed decisions when purchasing software,” said CISA Director Jen Easterly. “This new guide will help software customers understand how they can use their purchasing power to procure secure products and turn Secure by Design into Secure by Demand.”

This guide is concise and usable by any customer of software during procurement discussions with third party resellers or service providers. Recommendations in this guide include obtaining the manufacturer’s software bill of materials that lists third-party software components, roadmaps that identify how they plan to eliminate classes of vulnerability in their products, and publicly available vulnerability disclosure policy, if one is operated.

This guide compliments the “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” that was recently published.

Organizations are encouraged to review both the Secure by Demand Guide and Software Acquisition Guide and implement recommended actions.

For more information, please visit Secure by Design.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on TwitterFacebookLinkedIn, Instagram