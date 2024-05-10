The U.S. Cybersecurity and Infrastructure Security Agency and its counterparts in Australia, New Zealand, Canada and the U.K. have released new guidance on secure by design considerations that manufacturers and organizations could use to inform their decisions when purchasing digital products and services.

The document outlines external and internal procurement considerations and presents lists of questions that purchasing organizations could use at each phase of the procurement process.

The section for external procurement considerations, for instance, offers questions that organizations could ask to evaluate a manufacturer’s transparency and reporting, validate secure by default, review a manufacturer’s supply chain risk management and assess open-source software usage.

The procuring organization should also evaluate itself by conducting an assessment across the pre-purchase, purchase and post-purchase stages.

Under the pre-purchase phase, the guidance offers questions that should be asked of senior management, policy area, product owner and infrastructure and security areas.

The document also lists several standards that could assist manufacturers in the development of secure and verifiable technology platforms.

