The Cybersecurity and Infrastructure Security Agency (“CISA”) released a new guide on August 2, 2024 titled, “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle” (the “Software Acquisition Guide”). This guide addresses the cybersecurity risks associated with the acquisition and use of third-party developed software and certain related physical products in an agency enterprise environment, and provides recommendations to agency personnel for understanding, addressing, and mitigating those risks. This guide was followed on August 6, 2024, by a separate guide issued jointly by CISA and the FBI titled, “Secure By Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” (the “Secure By Demand Guide”). Together, these two guides provide agency and industry personnel a series of questions that can be used to obtain information from suppliers, set technical requirements, and develop contract terms for the acquisition of secure software as contemplated by the Biden Administration’s May 2021 Cybersecurity Executive Order (“EO”) and the Office of Management and Budget (“OMB”) memoranda implementing that Order.
The specific impact that the guides will have on federal procurements and software developers in the federal supply chain is not yet clear. With this said, all software producers in the federal supply chain are currently required to fully comply with new secure software development minimum requirements promulgated by the Office of Management and Budget by September 8 of this year, as detailed in our prior post here. The Software Acquisition Guide in particular builds on those requirements and thus could be adopted by agencies that opt to impose additional obligations on contractors beyond those minimum requirements.
Software Acquisition Guide
The Software Acquisition Guide is intended to be used both by government and by industry personnel and is meant to bridge gaps between other relevant security controls such as National Institutes of Standards and Technology Special Publication (“NIST SP”) 800-53 (“Security and Privacy Controls for Information Systems and Organizations”), the Federal Risk and Authorization Management Program (“FedRAMP”), and NIST SP 800-161 (“Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”). The Software Acquisition Guide contains an illustration that indicates how these regimes overlap with each other:
Along these lines, the Software Acquisition Guide acknowledges the ongoing efforts that are focused on software acquisition and use by the Government – notably the existing EO and OMB requirements for the submission of secure software development attestation common forms and/or third party assessment results as a condition of producing software for end-use by the federal government – and expands upon these requirements. Notably, the guide refers to those attestations as “a necessary starting point to addressing risks passed to using enterprises” of software and physical products, and attempts to build upon them in related areas such as Software Bills of Materials (“SBOMs”) and vulnerability scanning and patching.
The Software Acquisition Guide contains the following five primary sections: (1) Supplier Governance and Attestations; (2) Software Supply Chain Controls; (3) Secure Software Development Controls; (4) Secure Software Deployment Controls; and (5) Vulnerability Management Controls. Each of these sections has a set of “control questions,” some of which only apply under certain conditions. For example, the Supplier Governance and Attestations section includes 19 control questions, the first of which is: “Does the supplier provide a CISA Secure Software Development Attestation Form, or equivalent such as the GSA 7700 Secure Software Development Attestation Form, without need for a POA&M, signed by the supplier’s designated employee (Chief Executive Officer or designee that can bind the suppliers)?” If the supplier answers “Yes” to this question, it is excused from answering 25 of the remaining 76 control questions. Similarly, if the supplier answers all 19 of the Supplier Governance and Attestations Control questions in the affirmative, then it is excused from responding to any of the control questions in the other sections.
Many of these questions in the document are very detailed. As an example, one of the control questions regarding Software Supply Chain Controls asks whether the supplier “create[s] a validated SBOM in an NTIA or CISA approved machine readable format with NTIA or CISA defined minimum fields for all releases of the software, including updates.”
Additionally, the guide contains certain questions relating to the risks of artificial intelligence in the acquisition supply chain to the use of artificial intelligence, such as whether suppliers have used any generative AI solutions in the development of software, whether the supplier has and enforces policies relating to the use of AI generated code, and whether the supplier performs ongoing reviews for data leakage associated with AI code. Further, since the guide is based on practices outlined in NIST SP 800-218 (“Secure Software Development Framework”), it is possible that the guide may eventually be supplemented or revised by NIST SP 800-218A (“Secure Software Development Practices for Generative AI and Dual-Use Foundation Models”) that was very recently issued under President Biden’s Executive Order on Artificial Intelligence to the extent that these models are incorporated into or used in the development of end-software. We covered NIST SP 800-218A and related frameworks in more detail in our prior post here.
Secure By Demand Guide
The Secure By Demand Guide issued jointly by CISA and the FBI also provides organizations with questions to ask suppliers or potential suppliers before conducting software procurement in order to “understand each candidate software manufacturer’s approach to product security. These questions begin with the following “General Questions”: (1) “Has the manufacturer taken CISA’s Secure By Design Pledge?”; (2) “What progress reports has the manufacturer published in line with its commitments to the pledge?”; (3) “How does the manufacturer make it simple for customers to install security patches?”; and (4) “Does it offer support for security patches on a widespread basis and enable functionality for automatic updates?”
Following these questions, the Secure By Demand Guide provides questions tailored to the following subjects (1) Authentication; (2) Eliminating Classes of Vulnerability; (3) Evidence of Intrusions; (4) Software Supply Chain Security; and (5) Vulnerability Disclosures and Reporting. Many of these questions are detailed and refer to existing or forthcoming requirements. For example, within the Software Supply Chain Security category, the Secure By Demand Guide recommends that “the software manufacturer should maintain and share provenance data of third-party dependencies and have processes to govern its use of and contributions to, open source software components,” and provides the following questions to ask its software manufacturers:
- “Does the manufacturer generate a Software Bill of Materials (SBOM) in a standard, machine-readable format and make this available to customers? Does the SBOM enumerate all third-party dependencies, including open source software components?”
- “How does the manufacturer vet the security of the open source software components to incorporate and facilitate contributions back to help sustain these open source projects? Does the software manufacturer have an established process to do so, such as through an open source program office (OSPO)?”