Governance & Risk Management
,
Government
,
Industry Specific
US Cyber Defense Agency Aims to Improve Security Transparency in Procuring Software
The U.S. Cybersecurity and Infrastructure Security Agency issued guidance that aims to streamline the software acquisition process for federal agencies while enhancing software assurance and boosting cybersecurity transparency.
See Also: Securing the Nation: FedRAMP-Authorized Identity Security
The guide released Thursday calls for a core challenge in federal acquisition by embedding security principles throughout the entire software life cycle, from design and development to deployment and operational use, according to Mona Harrington, CISA’s National Risk Management Center assistant director and co-chair of the agency’s ICT Supply Chain Risk Management Task Force.
The guide provides government buyers with a script meant to shift software security responsibilities back onto developers and vendors. It includes governance control questions to ensure suppliers maintain provenance data for both internal and third-party components, along with other critical security measures.
The questions included in the guide seek to ensure suppliers have provided a CISA Secure Software Development Attestation Form and conduct log and patch management to maintain the integrity of federal software supply chains. Suppliers will also be asked to detail what “secure by design” principles and industry standards they have implemented for vulnerability scanning and management.
CISA’s latest acquisition guide consolidates federal frameworks from the National Institute of Standards and Technology along with security requirements from the Office of Management and Budget and General Services Administration to provide a comprehensive approach to securing the software supply chain.
The agency said the guidance is a signal to industry that government agencies are demanding that suppliers take responsibility for the security of their products. The framework aligns with an ongoing federal strategy to shift security responsibilities from end users to commercial manufacturers (see: US Cybersecurity Strategy Shifts Liability Issues to Vendors).
The guide directs contracting staff to “engage in more relevant discussions” with enterprise risk owners such as CIOs and CISOs and includes 77 questions about vulnerability management and software supply chain integrity. CISA said 25 of those questions can be skipped when suppliers submit the Secure Software Development Attestation Form or similar documentation of their secure governance practices, such as the GSA7700 Secure Software Development Attestation Form.
The guide also includes recommendations for suppliers, including one to designate a primary coordinator from their organization to provide supporting documents for their responses and further collaborate with federal procurement teams as needed.
The format “is intended to be used to gather an initial and consistent baseline” to evaluate a software supplier’s cybersecurity development practices, according to the guidance. It says that vendors may be required to provide additional supporting documentation and answer other follow-up questions regarding their security practices.