Get Ahead of CISA's New Software Security Acquisition Requirements

On August 1 2024, the CISA-led ICT Supply Chain Risk Management Task Force published a Software Acquisition Guide. This document outlines key questions that an enterprise buyer of software can ask to better govern security risk of their vendors. Despite being targeted at government agencies, the guide can be leveraged by any organization that is looking to procure software in a safe manner.

What is the goal of the new guide?

Through this guide, CISA aims to define a list of controls enterprise software buyers can use to understand the security risk presented by a prospective suppliers’ product or service. By clarifying the residual risk exposure accompanied by a new software package, acquiring organizations can make more informed contractual amendments or service-level agreements (SLAs) to ensure their software vendors uphold strong security practices throughout the lifecycle of the product/service provisioning.

The controls can be found in the published PDF guide, as well as within the accompanying Excel file for more convenient vendor distribution and completion.

Introducing ‘Secure by Demand’

Another new security concept the guide introduces is Secure by Demand. This builds on existing software development practices of Secure by Design and Secure by Default with a consumer twist. This emerging principle captures the increasing enterprise demand for transparency into the make-up and security of third party software they rely on to run their business. More details about Secure by Demand, including the complementary guide published by CISA, can be found in RL’s recent blog, Secure by Demand: Key takeaways for enterprise software buyers.

How Can ReversingLabs Help?

ReversingLabs is uniquely suited to help software vendors and buyers get ahead of the US government's security requirements spelled out in CISA’s new Software Acquisition Guide. ReversingLabs Spectra Assure™ generates shareable audit artifacts that demonstrate the vendor's software product was evaluated in its final state prior to distribution or deployment. The Spectra Assure SAFE report delivers a comprehensive software bill of materials (SBOM), describes any known risks or threats that were uncovered during analysis (such as malware, tampering, malicious behaviors, exposed secrets, vulnerabilities and more), and proposes mitigation strategies to address them.

Below we explore the control categories from CISA’s Software Acquisition Guide, which Spectra Assure can help contribute to achieving, in an effort to help both software vendors and buyers accelerate compliance.

Governance: In the context of software supply chain security, vendor governance controls are vital to reduce any software assurance knowledge gaps that may exist between a supplier of a software-based product and those in the acquisition and procurement process.

Supply Chain: Software is composed of, or reliant upon, open source, custom-developed, or third-party libraries. As these libraries get packaged into commercial off-the-shelf (COTS) software, downstream consumers lose visibility into the building blocks of applications that often support critical business processes. Reduced visibility into your software means less control, leading to difficulties managing the inevitable security risks that will emerge and maintaining business agility in resulting crisis scenarios (e.g. Log4j). Enforcing such supply chain requirements can help organizations regain visibility and control over the components which make up their software ecosystem.

Secure Deployment: Post acquisition, organizations are tasked with the deployment of procured software solutions within their existing on-premise or cloud based infrastructure. Controls within this section represent the operational activities which are required to successfully integrate a third-party software solution to enable safe business use.

Secure Development: Development organizations have an obligation to ensure the software they publish is safe to use prior to release. Secure development controls represent a set of security stage gates required to successfully detect and subsequently mitigate the likelihood and impact of a software supply chain attack to build trust with downstream enterprise customers.

Vulnerability Management: Vulnerabilities in software are a constant threat to organizations and individuals, often due to an outdated software component, a bug or some other flaw in the software. Depending on their severity, they may present significant gaps or opportunities for malicious actors to access your systems and sensitive information, as well as cause harm to your organization. People, processes, and technology must be adopted to effectively detect and manage vulnerabilities identified in custom developed and third party software.

When push comes to shove

We have encountered an age where security questionnaires have now transitioned into security demands. Although these new guidelines can be daunting for both software publishers and enterprise buyers, automated supply chain security solutions like Spectra Assure can serve as the primary control to ensure safe software is procured in an efficient and scalable manner.