CISA Releases Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle
WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced the release of its “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle.” Developed by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, this guide consolidates relevant software assurance guidance and frameworks into a single document and enables stakeholders to easily navigate through these requirements in a clear, concise manner.
"The ICT SCRM Task Force Software Assurance Working Group created the guide for acquisition and procurement organizations to initiate discussions with their cybersecurity staff and enterprise risk owners, such as Chief Information Officers and Chief Information Security Officers, to ensure the security of their software acquisitions,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington. “It provides critical federal guidance, including CISA’s Secure by Design principles, and a list of questions that should be addressed to mitigate risk exposure from software obtained from third parties.
Many well-known cyber-attacks have exploited vulnerabilities and weaknesses in software and within software supply chains in proprietary and open-source software, adversely impacting private sector and government enterprises. This recurring issue prompted an increased need to rebalance responsibilities for cybersecurity risks between software suppliers and consumers. The Software Acquisition Guide is in response to the core challenges of software assurance and cybersecurity transparency in the acquisition process, focusing primarily on software lifecycle activities.
“This Guide provides a foundation for addressing product security principles within the software lifecycle, including design, development, deployment, and operational use,” said Robert Mayer, Senior Vice President of Cybersecurity and Innovation at USTelecom and ICT SCRM Task Force Co-Chair. “I am thankful to the Software Assurance Working Group for their significant contribution having worked with numerous entities over the last two years to ensure the Guide will be relevant and useful to acquisitions and procurement professionals.”
By engaging in candid discussions of software supply chain processes, better, risk-informed decisions can be made for the acquisition and procurement of software products and services. Consumers, demanding security be built into the products and services they purchase, can function as the market signal, driving systemic changes across the software supplier ecosystem.
“The anticipation for the release of Software Acquisition Guide not only garnered attention from Task Force members but also sparked an outpouring of interest from various stakeholders at the ICT SCRM Task Force Conference that took place on June 12, 2024,” said John Miller, Senior Vice President of Policy for Trust, Data, and Technology and General Counsel, Information Technology Industry (ITI) Council and ICT SCRM Task Force Co-Chair. “This Guide serves as a useful tool for customers of acquisition and procurement organizations who can use this guidance as a basis for describing, assessing, and measuring security practices relative to the software life cycle. A huge thank you to the Software Assurance Working Group for their work and diligence in creating such a thorough and groundbreaking document.”
The ICT SCRM Task Force also developed an accompanying Spreadsheet that complements the Software Acquisition Guide and assists users with navigating the document.
The Task Force will host a webinar on the Software Acquisition Guide in the fall. Registration information will be posted on the ICT SCRM Task Force website.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram.