search menu icon-carat-right cmu-wordmark

Security-Aware Acquisition

Created December 2017

No matter how secure you think your systems might be, if your suppliers are not secure, your systems are at risk. For systems to be secure, your suppliers must use sound practices throughout their development and management lifecycles. CERT techniques help you evaluate and manage cyber risk in today’s complex software supply chains.

The Challenge of Cyber Risks in the Supply Chain

In today’s highly competitive and technology-driven environments, outsourcing software and development is more than a trend—it’s the way business is done. Using supply chains provides cost savings and flexibility to system integrators, but their use comes with a cost—added risk. As risks increase, confidence in your software-reliant systems decreases.

Your organization probably works with a prime contractor, who then works with subcontractors, who also have subcontractors, and so on. Such a long, complex supply chain makes it difficult to manage software, requirements, systems, contracts, and their related risks.

Many organizations rely on formal legal contracts to ensure their suppliers mitigate risk. This ineffective approach fails to provide the mechanisms, flexibility, and repeatability needed to manage cybersecurity risks across the entire supply chain. Also, you may have limited power to confirm whether your delivered systems are secure. You may rely on an intermediary—a prime contractor or integrator—to do that for you.

Today’s evolving cybersecurity landscape requires that you implement a risk-based approach when managing the supply chain. The approaches to risk management and acquisition we've developed help you efficiently navigate software acquisition, development, and integration to a secure conclusion.

The Solution: Cybersecurity Practices for Acquisition and Your Supply Chain

Building on our cyber-risk management expertise and leveraging the data we’ve gathered over the last 10 years, our experts understand the challenges you face daily and are researching ways to help you manage software supply chain risk.

Software Assurance Framework (SAF)

The SAF, a working prototype, is a collection of cybersecurity practices that you can apply across the acquisition lifecycle and supply chain. You can use the SAF to assess your security-aware acquisition practices and chart a course for improvement, reducing the cybersecurity risk of your deployed software-reliant systems.

Field experiences of technical staff at the SEI indicate that few organizations implement effective cybersecurity practices early in the acquisition lifecycle. The SAF helps you remedy that shortcoming. It provides acquiring organizations with a basis for describing, assessing, and measuring their cybersecurity practices.

The SAF is a living framework that will mature in the years ahead. So far, it has been useful in three pilots in acquisition organizations.

A-SQUARE

SQUARE for Acquisition, also known as A-SQUARE, is a method used for eliciting and prioritizing security requirements as part of the acquisition process. A-SQUARE helps you document and visualize requirements analysis results and rationale. It helps you prioritize, categorize, and display security requirements and provides the steps for performing tradeoff analyses. Ultimately, you will understand the relative priorities of different types of requirements.

This method’s seven steps include agreeing on definitions, identifying assets and goals, identifying preliminary security requirements, reviewing COTS information, finalizing security requirements, performing tradeoff analyses, and making a final product selection.

Benefit from our extensive work in this field. Let us help you determine which approach best meets your organization’s needs.

Software and Tools

CERT SQUARE for Acquisition (A-SQUARE)

August 2011

SQUARE-A is designed for stakeholders, requirements engineers, and contractors/vendors to use in acquisitions and provides documentation support for a variety of use cases.

download

Looking Ahead: The Acquisition Security Framework

A prototype approach we've developed, the Acquisition Security Framework (ASF), enables you to measure and improve your organization’s ability to manage cyber risks throughout the software supply chain.

Our new approach helps you cut through the bureaucracy of government supply chain management. It also helps you evaluate risks and gaps in how you acquire, engineer, and deploy secure software-reliant systems.

Keeping these challenges in mind and leveraging our knowledge of the critical regulations that affect acquisition and the supply-chain landscape, we are developing the ASF to help those who acquire complex software-intensive systems. We need smart collaborators to help us shape this innovative approach. Get in on the ground floor and contact us to help engineer a successful approach that improves acquisition and makes your job easier.

Learn More

Carol Woody

An Acquisition Security Framework for Supply Chain Risk Management

October 17, 2022 Blog Post
Carol Woody

This post introduces the Acquisition Security Framework (ASF), which helps organizations identify the critical touchpoints needed for effective supply chain risk...

read
Acquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk

Acquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk

October 04, 2022 White Paper
Christopher J. AlbertsMichael S. BandorCharles M. Wallen

The Acquisition Security Framework (ASF) contains practices that support programs acquiring/building a secure, resilient software-reliant system to manage risks.

read
Incorporating Supply Chain Risk and DevSecOps into a Cybersecurity Strategy

Incorporating Supply Chain Risk and DevSecOps into a Cybersecurity Strategy

March 24, 2022 Podcast
Carol Woody, PhD

Carol Woody, a principal researcher in the SEI's CERT Division, talks with Suzanne Miller about supply-chain issues and the planning needed to integrate software from the supply chain into operational environments.

learn more
Acquisition Disasters? Ideas For Reducing Acquisition Risk

Acquisition Disasters? Ideas For Reducing Acquisition Risk

March 03, 2022 Webinar
Alfred SchenkerLinda Parker Gates

In this webcast, Fred Schenker and Linda Parker Gates discuss the status quo, alternative approaches, and how the community of Cyber Physical System acquirers and suppliers can improve.

watch
Securing the Supply Chain for the Defense Industrial Base

Securing the Supply Chain for the Defense Industrial Base

March 01, 2022 Podcast
Gavin JureckoKatie C. Stewart

Gavin Jurecko, who leads the SEI’s Resilience Diagnostics Team, talks with Katie Stewart about risks associated with defense industrial base (DIB) supply chains and how the SEI works with the U.S. Department of Defense to mitigate those risks.

learn more
Carol Woody

A Cybersecurity Engineering Strategy for DevSecOp­­­s that Integrates with the Software Supply Chain

January 31, 2022 Blog Post
Carol Woody

Reused code contains defects unknown to the new user, which, in turn, propagate vulnerabilities into new systems. Organizations must develop a cybersecurity engineering strategy that addresses the integration of DevSecOps with the software supply...

read
Security Engineering Risk Analysis (SERA) Threat Archetypes

Security Engineering Risk Analysis (SERA) Threat Archetypes

December 16, 2020 White Paper
Christopher J. AlbertsCarol Woody, PhD

This report examines the concept of threat archetypes and how analysts can use them during scenario development.

read
Better Manage Your Supply Chain

Better Manage Your Supply Chain

November 15, 2017 Brochure

This brochure describes the Acquisition Security Framework (ASF), which enables you to achieve a secure, resilient, and survivable supply chain.

read
Assessing DoD System Acquisition Supply Chain Risk Management

Assessing DoD System Acquisition Supply Chain Risk Management

May 01, 2017 Article
Christopher J. AlbertsJohn HallerCharles M. Wallen

In this Crosstalk article, the authors discuss the growing challenge of cyber risks in the defense supply chain.

read