The Cybersecurity and Infrastructure Security Agency (CISA) released a new guide on Thursday to help federal acquisition and contracting professionals better assess the security of the software they procure. The “Software Acquisition Guide for Government Enterprise Consumers” aims to simplify the complex landscape of software security. The guide was developed by the Information and Communications Technology Supply Chain Risk Management Task Force, co-led by CISA and industry representatives.
It consolidates various software assurance guidance and frameworks into a 61-page document for easy navigation. Mona Harrington, assistant director of CISA’s National Risk Management Center, emphasized the importance of the guide. “It provides critical federal guidance, including CISA’s ‘Secure by Design’ principles, and lists questions that should be addressed to mitigate risk exposure from software obtained from third parties,” Harrington said.
The guide arrives as agencies navigate new software security requirements. Earlier this year, CISA finalized a secure software attestation form mandated by the White House, requiring agencies to ensure their software suppliers complete the form before proceeding with purchases. The new guide aligns with these efforts, helping agencies request detailed information about vendors’ software supply chain security controls.
Guide for federal software procurement
The guide explains how agencies can seek insights from vendors about specific software supply chain security measures. “Software is increasingly composed of third-party development libraries which might be open-source, commercial, or contracted,” the guide states.
“The lack of visibility into these components poses significant risks.”
Improving the security of the government’s software supply chain has been a priority since President Joe Biden issued a cybersecurity executive order following the SolarWinds breach that affected multiple federal agencies. The Federal Acquisition Regulatory Council is also working on a highly anticipated software security rule. Once finalized, it will require government software vendors to comply with specific secure software development requirements.
CISA emphasized that numerous cyberattacks have exploited vulnerabilities in both proprietary and open-source software within software supply chains, adversely affecting both the private and public sectors. This recurring issue has highlighted the need to rebalance responsibilities for cybersecurity risks between software suppliers and consumers. By promoting candid discussions about software supply chain processes, more informed decisions can be made regarding the acquisition and procurement of software products and services.
“Consumers demanding security to be built into the products and services they purchase can act as a market signal, driving systemic changes across the software supplier ecosystem,” the agency noted.
