The Cybersecurity and Infrastructure Security Agency and the FBI have issued a guide to help customers ensure that the secure by design concept is a core manufacturing consideration in the software they are eying to purchase.
Titled “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem,” the manual is designed for software customers’ procurement talks with third-party resellers, CISA said Tuesday.
Citing technology vendors who have earlier joined CISA’s Secure by Design pledge, Jen Easterly, the agency’s director, said businesses can also help the effort through “better risk-informed decisions” in software purchases.
“This new guide will help software customers understand how they can use their purchasing power to procure secure products and turn Secure by Design into Secure by Demand,” she said.
The guide provides questions that an organization’s acquisition staff can ask in a software purchase to assess security in the procurement stages and product lifecycle.
It also recommends action steps, such as obtaining and inspecting the manufacturer’s software bill of materials listing third-party components. Another recommendation calls for customer checks on suppliers’ disclosure policy and roadmaps addressing their products’ vulnerabilities.
In addition to using the guide, CISA suggests that customers review the software acquisition roadmap in the cyber-supply chain risk management playbook it recently published.