CISA has made it clear that ultimately software suppliers must carry the can for security risks as it laid out guidance to ensure government bodies buying software are not importing vulnerabilities.
The agency’s Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle consolidates a raft of “software assurance guidance and frameworks”
CISA described it as a response to the challenge of ensuring software assurance and cybersecurity transparency in the acquisition process.
“It provides critical federal guidance, including CISA’s Secure by Design principles, and a list of questions that should be addressed to mitigate risk exposure from software obtained from third parties,” CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington said in a statement.
The doc itself says that supply chain risks span both open and closed source routes, and both buyers and suppliers need an increased awareness of the risks.
It provides a battery of questions for government procurement and tech staff to fire at prospective and existing suppliers. Needless to say, these constitute good practice for private sector staffers too.
However, an overview of the doc makes it clear that “the responsibility ultimately lies with the software suppliers to take ownership of their customers’ security outcomes.”
Needless to say, it repeats CISA’s “secure by design” mantra - though the emphasis is on “secure by demand” elements to ensure “better, risk-informed decisions can be made associated with acquisition and procurement of software and cyber-physical products.”
And, it calls for “shifting the responsibility onto software suppliers rather than the current paradigm where the consequences of vulnerable exploitable systems and software overwhelmingly fall on customers and consumers—the enterprise users.”
The guide spans 77 questions overall, of which 19 cover supplier governance and attestations, and eight cover software supply chain issues. The remainder span secure software development, software deployment and vulnerability management.
A quarter of the questions “could be skipped if the supplier provides a CISA Secure Software Development Attestation Form, or equivalent forms.”
The doc itself is also accompanied by a spreadsheet, “that complements the Software Acquisition Guide and assists users with navigating the document.” You could almost describe it as a tick box doc.
And users will need as much help as they can get. CISA has previously said it will name and shame vendors over insecure software.
But CISA can only spread itself so far. A US Government Accountability Office report in March noted that the organization lacked skill staff and capabilities to tackle operational technology security issues.
