Today, CISA and the FBI jointly published “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.” The guide is designed to help organizations drive a secure technology ecosystem by ensuring their software manufacturers prioritize secure technology from the start.

The acquisition personnel of an organization generally possess a foundational understanding of the fundamental cybersecurity requirements associated with a specific technology acquisition. However, they frequently don’t assess whether a supplier has implemented practices and policies that ensure security is regarded as a core consideration from the early phases of the product development lifecycle.

This guide is intended to assist organizations by presenting a series of questions to consider when acquiring software, recommending considerations for integrating product security throughout various stages of the procurement process, and providing resources to evaluate the security maturity of a product in accordance with secure by design principles.

The Secure by Demand Guide is a counterpart to CISA’s Secure by Design guidance for technology manufacturers, which lays out three secure by design principles: 

1. Take ownership of customer security outcomes, 
2. Embrace radical transparency and accountability, and
3. Build organizational structure and leadership to achieve these goals.

Organizations can integrate product security considerations into various stages of the procurement lifecycle:

• Before procurement, by posing questions to understand each candidate software manufacturer’s approach to product security.
• During procurement, by integrating product security requirements into contract language, as appropriate.
• Following procurement, by continually assessing software manufacturers’ product security and security outcomes. 

This guide compliments the “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” that was recently published. CISA encourages organizations to review both the Secure by Demand Guide and Software Acquisition Guide and implement recommended actions. Access the full guide at CISA.