Security-Aware Acquisition
Created December 2017
No matter how secure you think your systems might be, if your suppliers are not secure, your systems are at risk. For systems to be secure, your suppliers must use sound practices throughout their development and management lifecycles. CERT techniques help you evaluate and manage cyber risk in today’s complex software supply chains.
The Challenge of Cyber Risks in the Supply Chain
In today’s highly competitive and technology-driven environments, outsourcing software and development is more than a trend—it’s the way business is done. Using supply chains provides cost savings and flexibility to system integrators, but their use comes with a cost—added risk. As risks increase, confidence in your software-reliant systems decreases.
Your organization probably works with a prime contractor, who then works with subcontractors, who also have subcontractors, and so on. Such a long, complex supply chain makes it difficult to manage software, requirements, systems, contracts, and their related risks.
Many organizations rely on formal legal contracts to ensure their suppliers mitigate risk. This ineffective approach fails to provide the mechanisms, flexibility, and repeatability needed to manage cybersecurity risks across the entire supply chain. Also, you may have limited power to confirm whether your delivered systems are secure. You may rely on an intermediary—a prime contractor or integrator—to do that for you.
Today’s evolving cybersecurity landscape requires that you implement a risk-based approach when managing the supply chain. The approaches to risk management and acquisition we've developed help you efficiently navigate software acquisition, development, and integration to a secure conclusion.
The Solution: Cybersecurity Practices for Acquisition and Your Supply Chain
Building on our cyber-risk management expertise and leveraging the data we’ve gathered over the last 10 years, our experts understand the challenges you face daily and are researching ways to help you manage software supply chain risk.
Software Assurance Framework (SAF)
The SAF, a working prototype, is a collection of cybersecurity practices that you can apply across the acquisition lifecycle and supply chain. You can use the SAF to assess your security-aware acquisition practices and chart a course for improvement, reducing the cybersecurity risk of your deployed software-reliant systems.
Field experiences of technical staff at the SEI indicate that few organizations implement effective cybersecurity practices early in the acquisition lifecycle. The SAF helps you remedy that shortcoming. It provides acquiring organizations with a basis for describing, assessing, and measuring their cybersecurity practices.
The SAF is a living framework that will mature in the years ahead. So far, it has been useful in three pilots in acquisition organizations.
A-SQUARE
SQUARE for Acquisition, also known as A-SQUARE, is a method used for eliciting and prioritizing security requirements as part of the acquisition process. A-SQUARE helps you document and visualize requirements analysis results and rationale. It helps you prioritize, categorize, and display security requirements and provides the steps for performing tradeoff analyses. Ultimately, you will understand the relative priorities of different types of requirements.
This method’s seven steps include agreeing on definitions, identifying assets and goals, identifying preliminary security requirements, reviewing COTS information, finalizing security requirements, performing tradeoff analyses, and making a final product selection.
Benefit from our extensive work in this field. Let us help you determine which approach best meets your organization’s needs.
Software and Tools
CERT SQUARE for Acquisition (A-SQUARE)
August 2011
SQUARE-A is designed for stakeholders, requirements engineers, and contractors/vendors to use in acquisitions and provides documentation support for a variety of use...
readLooking Ahead: The Acquisition Security Framework
A prototype approach we've developed, the Acquisition Security Framework (ASF), enables you to measure and improve your organization’s ability to manage cyber risks throughout the software supply chain.
Our new approach helps you cut through the bureaucracy of government supply chain management. It also helps you evaluate risks and gaps in how you acquire, engineer, and deploy secure software-reliant systems.
Keeping these challenges in mind and leveraging our knowledge of the critical regulations that affect acquisition and the supply-chain landscape, we are developing the ASF to help those who acquire complex software-intensive systems. We need smart collaborators to help us shape this innovative approach. Get in on the ground floor and contact us to help engineer a successful approach that improves acquisition and makes your job easier.
Learn More
Software Bill of Materials (SBOM) Considerations for Operational Test & Evaluation Activities
June 14, 2024 White Paper
Michael S. Bandor
This white paper looks at the background and history of SBOMs as well as the general questions and challenges for use with Operational Test & Evaluation...
readMeasurement Challenges in Software Assurance and Supply Chain Risk Management
May 20, 2024 Blog Post
Nancy R. Mead, Carol Woody, Scott Hissam
This SEI Blog post examines the current state of measurement in software assurance and supply chain management, with a particular focus on open source software, and highlights promising measurement...
readApplying the SEI SBOM Framework
February 05, 2024 Blog Post
Carol Woody
This SEI Blog post examines ways you can leverage your software bill of materials (SBOM) data, using the SEI SBOM Framework, to improve your software security and inform your supply chain risk...
readAcquisition Security Framework (ASF): Managing Systems Cybersecurity Risk (Expanded Set of Practices)
October 02, 2023 Technical Note
Christopher J. Alberts, Michael S. Bandor, Charles M. Wallen, Carol Woody
This framework of practices helps programs coordinate their management of engineering and supply chain risks across the systems...
readLeveraging Software Bill of Materials Practices for Risk Reduction
September 05, 2023 Webcast
Carol Woody, Charles M. Wallen, Michael S. Bandor
In this webcast, Charles Wallen, Carol Woody, and Michael Bandor discuss how organizations can connect Software Bill of Materials (SBOM) to acquisition and...
watchSoftware Bill of Materials Framework: Leveraging SBOMs for Risk Reduction
June 14, 2023 White Paper
Charles M. Wallen, Christopher J. Alberts, Michael S. Bandor, Carol Woody
This paper is a Software Bill of Materials (SBOM) Framework that is a starting point for expanding the use of SBOMs for managing software and systems...
readKey Steps to Integrate Secure by Design into Acquisition and Development
May 04, 2023 Podcast
Carol Woody, Robert Schiela
Robert Schiela and Carol Woody talk with Suzanne Miller about the importance of integrating the practices and mindset of secure by design into the acquisition and development of software-reliant systems....
learn moreAddressing Supply Chain Risk and Resilience for Software-Reliant Systems
February 20, 2023 Webcast
Carol Woody, Charles M. Wallen
In this webcast, Carol Woody and Charles Wallen discuss the Acquisition Security Framework (ASF) and how the ASF provides a roadmap to help organizations build security and resilience into a...
watchAsking the Right Questions to Coordinate Security in the Supply Chain
February 09, 2023 Podcast
Carol Woody
Carol Woody talks with Suzanne Miller about the SEI’s newly released Acquisition Security Framework, which helps programs coordinate the management of engineering and supply-chain risks across system...
learn more