Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle
The Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle product was developed in response to the core challenges of software assurance and cybersecurity transparency in the acquisition process, focusing primarily on software lifecycle activities. The Software Acquisition Guide focuses on the “Secure by Demand” elements by providing recommendations for agency personnel, including mission owners and contracting staff or requirements office to engage in more relevant discussions with their enterprise risk owners (such as CIOs and CISOs) and candidate suppliers such that better, risk-informed decisions can be made associated with acquisition and procurement of software and cyber-physical products.
Many well-known attacks have exploited vulnerabilities and weaknesses in software and within software supply chains; an issue that spans both proprietary and open-source software which impacts both private sector and government enterprises. Customers (as often represented by their acquisition and procurement organizations) may use the guidance in the guide as a basis to describe, assess, and measure suppliers’ security practices relative to the software life cycle without requiring that acquisition team members become cybersecurity experts. The Guide builds on existing US government cybersecurity guidance to address four phases of software ownership: software supply chains, development practices, deployment, and vulnerability management.
The Secure by Demand Guide compliments the ICT’s Software Acquisition Guide by helping organizations buying software better understand their software manufacturers approach to cybersecurity and ensure that secure by design is one of their core considerations.
We welcome your feedback! Please share your thoughts about this product through this voluntary, anonymous Product Feedback Survey.