The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released the “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.”
This comprehensive CISA Secure by Demand guide aims to empower organizations purchasing software by providing them with the necessary tools and knowledge to evaluate the cybersecurity practices of software manufacturers, ensuring that “secure by design” principles are integral to their procurement processes.
CISA Secure by Demand Guide: Addressing a Critical Gap in Procurement Practices
In many organizations, acquisition staff possess a general understanding of core cybersecurity requirements for technology acquisitions. However, they often overlook the critical need to assess whether software suppliers have embedded security considerations from the earliest stages of product development. This oversight can lead to the procurement of software products that may be vulnerable to exploitation.
The “Secure by Demand Guide” seeks to fill this gap by offering practical guidance on how to integrate product security into various stages of the procurement lifecycle.
The CISA guide is designed to help organizations make risk-informed decisions and ensure that their suppliers prioritize cybersecurity throughout the product development process.
Empowering Organizations with Key Questions and Resources
The guide provides a set of strategic questions that organizations can use when evaluating software vendors. These questions are aimed at uncovering the depth of a vendor’s commitment to cybersecurity and include inquiries about their security practices, policies, and the integration of security into their product development lifecycle.
Some of the key recommendations in the guide include:
- Obtaining the Manufacturer’s Software Bill of Materials (SBOM): This document lists third-party software components used in the product, helping organizations understand potential vulnerabilities and dependencies.
- Reviewing Security Roadmaps: Organizations should request vendors’ roadmaps that outline plans to eliminate classes of vulnerabilities in their products.
- Vulnerability Disclosure Policies: Checking if vendors have publicly available policies for disclosing vulnerabilities ensures transparency and accountability.
Aligning with Secure by Design Principles
This CISA guide complements the recently published “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle.” Together, these guides provide a comprehensive framework for incorporating security considerations into software procurement processes.
The new guide also serves as a counterpart to CISA’s “Secure by Design” guidance for technology manufacturers. This earlier guidance highlights three fundamental principles that manufacturers should follow:
- Take Ownership of Customer Security Outcomes: Manufacturers must prioritize the security of their customers by proactively addressing potential threats and vulnerabilities in their products.
- Embrace Radical Transparency and Accountability: Clear communication and openness about security practices and vulnerabilities are essential for building trust with customers.
- Build Organizational Structure and Leadership: Establishing robust leadership and organizational frameworks to support security initiatives is crucial for achieving these goals.
Shifting Focus from Enterprise Security to Product Security
The guide emphasizes the importance of distinguishing between enterprise security and product security. While enterprise security focuses on protecting a company’s own infrastructure and operations, product security pertains to the measures a software manufacturer takes to ensure their products are secure against potential attacks.
Many compliance standards used during procurement processes focus on enterprise security, often neglecting the critical aspect of product security. This guide addresses this gap by providing resources and strategies for assessing the product security maturity of software manufacturers and ensuring they adhere to secure by design principles.
Integrating Product Security Throughout the Procurement Lifecycle
To effectively integrate product security into the procurement process, organizations are encouraged to:
- Before Procurement: Pose questions to understand each candidate software manufacturer’s approach to product security. This pre-procurement assessment helps identify vendors committed to secure product development.
- During Procurement: Incorporate product security requirements into contract language, ensuring that vendors are contractually obligated to maintain high security standards.
- Following Procurement: Continuously assess software manufacturers’ product security and security outcomes. Ongoing evaluation ensures that vendors remain committed to secure practices throughout the product lifecycle.
A Call to Action for Businesses
CISA Director Jen Easterly highlighted the importance of businesses leveraging their purchasing power to drive the adoption of secure by design principles.
“We are glad to see leading technology vendors recognize that their products need to be more secure and voluntarily join the Secure by Design pledge. Businesses can also help move the needle by making better risk-informed decisions when purchasing software,” Easterly stated. “This new guide will help software customers understand how they can use their purchasing power to procure secure products and turn Secure by Design into Secure by Demand.”
In conclusion, the “Secure by Demand Guide” provides a valuable resource for organizations seeking to enhance their software procurement practices. By incorporating the guide’s recommendations, businesses can ensure that they are procuring software products that are secure, resilient, and capable of withstanding evolving cyber threats.
