Active Cyber Zone Panel Discussion About New CISA Software Acquisition Guide - Why It Is Important And What You Need to Do About It

Show Notes

The CISA Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle product was developed in response to the core challenges of software assurance and cybersecurity transparency in the acquisition process, focusing primarily on software lifecycle activities. The Software Acquisition Guide focuses on the “Secure by Demand” elements by providing recommendations for agency personnel, including mission owners and contracting staff or requirements office to engage in more relevant discussions with their enterprise risk owners (such as CIOs and CISOs) and candidate suppliers such that better, risk-informed decisions can be made associated with acquisition and procurement of software and cyber-physical products. 

This Active Cyber Zone podcast features two members of the team that developed the Guide. We explore why the Guide is needed and what government vendors need to know as the Guide makes its way into the federal acqusition process.

Transcript

The guide aims to provide a buyer's guide for software assurance and improve the security of software products. [07:55] It focuses on the demand signal from buyers to encourage suppliers to prioritize security. [41:45] The guide incorporates various principles such as secure by design, secure by default, and secure by demand. [11:06] It addresses the ownership of software, the use of open source software, and the need for independent scanning of software for security. [24:00] The guide also considers other standards and certifications like CMMC, common criteria, and FIPS 140. [19:19] It emphasizes the importance of policy and process rather than being prescriptive. The guide includes governance questions and control questions to help acquisition officials make risk-informed decisions. [26:53] It does not rely on scoring or comparing product features. The guide also mentions bug bounties as a form of independent testing. [36:41] It acknowledges the challenges of dealing with overseas suppliers and suggests involving resellers or system integrators to proxy deficiencies in the supply chain. The guide does not have a specific refresh requirement, but it encourages continuous improvement and transparency in the software supply chain. [07:55] The guide can be found on the CISO website along with a spreadsheet tool for self-assessment. [43:48] Feedback on the guide is welcomed through a survey on the website. [44:09]