Software Suppliers Under the Cybersecurity Microscope – Federal Buyers Get a Guide

The Cybersecurity and Infrastructure Security Agency (CISA) recently released its Software Acquisition Guide for Government Enterprise Consumers to give federal acquisition and contracting staff the tools they need to effectively assess whether a software supplier has followed the proper practices and policies to assure the security of their products.

The new guide is the latest development in a movement toward reducing federal supply chain cybersecurity risk. Executive Order 14028 on Improving the Nation’s Cybersecurity set in motion efforts to require software producers of software available for purchase by federal agencies to comply with, and attest to their compliance with, federal secure software development practices and requirements.

Driving Supplier Transparency and Informing Contract Requirements

Increasing supplier transparency and accountability are driving principles throughout this and other federal software supply chain cybersecurity efforts. As such, CISA is pressing software suppliers to:

• Take ownership of customer security outcomes;
• Embrace radical transparency and accountability; and
• Build organizational structure and leadership to achieve these goals.

For federal agencies, the guide is intended in part to be used to inform the structuring of contract language and evaluation criteria to make their cybersecurity expectations explicit and to aid with pre-procurement communications with prospective suppliers.

Questions for Software Suppliers and Considerations for Agencies

Software suppliers will need to answer a litany of questions to assure agencies their software follows critical federal guidance, including CISA’s Secure by Design principles. The guide also provides agencies with a list of questions that should be addressed to mitigate risk exposure from software obtained from third parties (including software integrators and resellers).

The guide is organized into five primary sections with each section having its own set of controls and clarifying tasks, including:

• Supplier Governance and Attestations (19 control questions);
• Software Supply Chain Controls (8 questions);
• Secure Software Development Controls (30 questions);
• Secure Software Deployment Controls (12 questions); and
• Vulnerability Management Controls (8 questions).

CISA also provided an accompanying spreadsheet-based questionnaire which suppliers are to use to submit their responses to agencies.

Suppliers that submit an acceptable secure software development attestation for, such as CISA’s Secure Software Development Attestation Form, GSA’s Secure Software Development Attestation Form, or an equivalent, may skip many of the questions covered under the attestation.

Implications

Shifting cybersecurity liability onto IT supply chain producers and suppliers is a major plank in the current National Cybersecurity Strategy Implementation Plan (NCSIP). Federal cyber policy makers continue to raise the bar for software (and hardware, firmware and IT service) suppliers to require their products and services to have security “baked in” at every stage and step, and to provide proof of it. To quote the latest CISA guidance, “Software suppliers are expected to understand the security controls used within their development environments, apply similar controls to their software supply chain, and provide guidance to software operators.”

Suppliers that cannot yet provide evidence of following all the required security practices and controls will need to build a Plan of Action and Milestones (POA&M) to document and track progress toward the necessary security improvements. The CISA guidance may be useful for this.

The march toward greater supply chain transparency and accountability will continue, and this will drive acquisition decisions in greater degrees moving forward. The Federal Acquisition Regulation (FAR) Federal Acquisition Regulatory (FAR) Council is working on an acquisition rule that will codify the requirement for suppliers to comply and attest to following secure design practices. (See FAR Case # 2023-002.)

Failure to build in these processes and the associated overhead costs into a company’s operations will create significant and sure market risk for federal suppliers.