CISA Issues Software Acquisition Guide
The Cybersecurity and Infrastructure Security Agency (CISA) has released a new guide for government software acquisition. The guidance pushes federal agencies to incorporate "secure by design" principles and standardized security controls into procurement requirements. This move is expected to heighten vendor compliance standards and prioritize supply chain risk management in federal IT purchasing.
- This guide is a direct response to major software supply chain attacks and is designed to shift the security burden from government customers to software manufacturers. It operationalizes the principles of "Secure by Design," making security a core requirement in the development lifecycle rather than an afterthought. - The document consolidates existing U.S. government cybersecurity guidance, including requirements from President Biden's Executive Order 14028 on Improving the Nation's Cybersecurity, into a single framework for procurement officials. This streamlines compliance for agencies and clarifies expectations for vendors. - It was developed by the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, a public-private partnership co-chaired by CISA and representatives from the IT and Communications sectors. - The guide focuses on the concept of "Secure by Demand," empowering federal agencies to use their purchasing power to require more secure software products. It complements a separate "Secure by Demand" guide that further details how customers can drive security in the tech ecosystem. - A key feature is a detailed questionnaire organized into five sections: supplier governance, software supply chain, secure software development, secure software deployment, and vulnerability management. An accompanying spreadsheet tool is provided to help procurement staff assess supplier practices. - The guidance goes beyond simple attestations, like the CISA Secure Software Development Attestation Form, by providing a framework for ongoing dialogue and risk assessment throughout the software's lifecycle. This includes using the guide's questions as a basis for creating a Plan of Action and Milestones (POA&M) for any unmet requirements. - It aligns with and builds upon foundational frameworks from the National Institute of Standards and Technology (NIST), such as the Secure Software Development Framework (SSDF). - The guide is intended to enhance transparency from suppliers regarding their development practices and the components used in their software, including open-source libraries. This addresses the challenge acquisition staff face in assessing the security posture of potential software products.
