Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
07 August 2024
USA: CISA publishes Secure by demand Guide on software acquisition
On August 6, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published the Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem. In particular, the guide highlights cybersecurity software acquisition considerations for organizations buying software.
The guide outlines how organizations can integrate product security considerations before, during, and following procurement.
The guide details software manufacturer questions that should be addressed, including:
- whether the product supports secure authentication;
- how the software manufacturer addresses software defects across its products, and what classes of vulnerability have been addressed;
- evidence of intrusions and the availability of security logs to customers;
- information on software supply chain security, including provenance data of third party dependencies and processes for governing the use of, contributions to, and open source software components; and
- whether the software manufacturer demonstrates transparency and timeliness in vulnerability reports for on-premises and cloud products.