On August 6, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released the “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.” This guide aims to assist organizations in evaluating and ensuring the cybersecurity of software products during the procurement process. It is designed to help buyers understand and assess software manufacturers’ security practices and ensure that security is considered from the earliest stages of product development.
The guide addresses a critical gap in software acquisition: while organizations often understand the basic cybersecurity requirements, they frequently fail to scrutinize whether software suppliers implement security measures throughout their development lifecycle. To bridge this gap, the guide offers practical recommendations, including essential questions to ask vendors, considerations for integrating security into various stages of the procurement process, and resources for evaluating product security maturity based on secure-by-design principles.
CISA Director Jen Easterly highlighted the significance of using purchasing power to drive better security practices in technology. She emphasized that businesses can influence the market by making informed, risk-based decisions when acquiring software. The guide provides actionable steps such as obtaining a manufacturer’s software bill of materials, reviewing product roadmaps for vulnerability management, and checking for publicly available vulnerability disclosure policies, which collectively help ensure that software products are developed with security as a priority.
This new guide complements the recently published “Software Acquisition Guide for Government Enterprise Consumers,” which focuses on software assurance within the cyber-supply chain risk management lifecycle. By leveraging both resources, organizations can enhance their procurement strategies, ensuring that security is a core component of their software acquisition processes and thereby strengthening their overall cybersecurity posture.
Reference: