CISA releases software security acquisition guide

Software Security Guide

The Cybersecurity and Infrastructure Security Agency (CISA) has released a new guide aimed at helping federal acquisition and contracting professionals navigate the complexities of software security. The “Software Acquisition Guide for Government Enterprise Consumers” seeks to improve how agencies evaluate the security of the software they purchase. The guide was authored by the Information and Communications Technology Supply Chain Risk Management Task Force, co-led by CISA and industry representatives.

It is designed to bridge the gap between acquisition processes and IT security requirements. Mona Harrington, assistant director of CISA’s National Risk Management Center and co-chairwoman of the task force, stated that the guide was created to foster discussions between acquisition and procurement organizations, cybersecurity staff, and enterprise risk owners such as chief information officers and chief information security officers. It provides critical federal guidance, including CISA’s ‘Secure by Design’ principles, and a list of questions that should be addressed to mitigate risk exposure from software obtained from third parties,” Harrington said.

The guide comes as agencies grapple with new and evolving software security requirements. Earlier this year, CISA finalized a secure software attestation form mandated by the White House. This form requires agencies to ensure their software suppliers complete it before making purchases. According to the guide, careful consideration has been made to align it with existing software security efforts, including the attestation form.

CISA’s software acquisition guidance

It includes questions to help inform requirements, contracting, and acquisition approaches. The task force emphasizes that the information gathered from suppliers can raise the bar on cybersecurity transparency.

The guide advises agencies to request vendor information about specific software supply chain security controls. It highlights the risks posed by third-party libraries, often used in software development, and suggests that agencies need more visibility into third-party teams’ design, development, and implementation decisions. Additionally, the guide details various software development controls, deployment controls, and vulnerability management processes, indicating that these are essential to improving the security of the government’s software supply chain.

This aligns with President Joe Biden’s May 2021 cybersecurity executive order, issued after Russian hackers breached multiple federal agencies through the enterprise software supplier SolarWinds. The Federal Acquisition Regulatory (FAR) Council also works on a highly anticipated software security rule. Once finalized, it will require government software vendors to comply with specific secure software development requirements.

A recent update from the FAR Council shows that officials are currently revising a draft version of the rule.

devxblackblue

About Our Editorial Process

At DevX, we’re dedicated to tech entrepreneurship. Our team closely follows industry shifts, new products, AI breakthroughs, technology trends, and funding announcements. Articles undergo thorough editing to ensure accuracy and clarity, reflecting DevX’s style and supporting entrepreneurs in the tech sphere.

See our full editorial policy.

About Our Journalist