The Cybersecurity and Infrastructure Security Agency has provided government acquisition and procurement organizations with a newly developed guidebook on mitigating cyberattack threats on the software they use in the supply chain.
Titled “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management Lifecycle,” the playbook consolidates software assurance standards and frameworks, with focus on software acquisition and lifecycle activities, CISA said.
Developed by CISA’s information and communications technology supply chain risk management task force, the guide addresses the heightened importance of rebalancing cybersecurity responsibilities between software suppliers and users.
According to Mona Harrington, CISA national risk management center assistant director and ICT SCRM task force co-chair, the guidance includes the agency’s secure by design principles and a questionnaire that should be tackled in the risk mitigation process for software procured from third parties.
The guide is a tool for government acquisition and procurement bodies for initiating discussions with their cybersecurity staff and enterprise risk frontliners, such as chief information officers, Harrington added.
The playbook provides a spreadsheet complementing its software acquisition roadmap to help users navigate the document.
The ICT SCRM task force will hold a webinar on the guidebook in the fall.