CISA's guide helps bridge the gap between acquisition and IT, as the FAR Council works on a highly anticipated software security rule.
The Cybersecurity and Infrastructure Security Agency is trying to simplify the complex issue of software security for federal acquisition and contracting professionals.
In a new guide released today, CISA details how agencies can better evaluate the security of the software they purchase. The document, the “Software Acquisition Guide for Government Enterprise Consumers,” was written by the Information and Communications Technology Supply Chain Risk Management Task Force, which is co-led by CISA and industry representatives.
“While acquisition staff have a general understanding of the core cybersecurity requirements for a particular acquisition, they often lack the ability to assess whether a given supplier has practices and policies in place that better meet the ongoing expectations of enterprise users of the products,” the guide states.
Mona Harrington, assistant director of CISA’s National Risk Management Center, helps lead the task force as co-chairwoman. She said the task force created the guide “for acquisition and procurement organizations to initiate discussions with their cybersecurity staff and enterprise risk owners, such as chief information officers and chief information security officers, to ensure the security of their software acquisitions.”
“It provides critical federal guidance, including CISA’s ‘Secure by Design’ principles, and a list of questions that should be addressed to mitigate risk exposure from software obtained from third parties,” Harrington said in a statement.
The guide comes as agencies grapple with new and evolving software security requirements. CISA earlier this year finalized a secure software attestation form. The White House has mandated that agencies ensure their software suppliers complete the form before moving forward with purchases.
In the new document, CISA’s task force writes that “careful consideration has been made” to align the guide with existing software security efforts, including the attestation form. The document describes questions that can help inform requirements, contracting and acquisition approaches.
“The information and insights gathered from suppliers help raise the bar on cybersecurity transparency,” the guide states.
For instance, CISA’s guide describes how agencies can request information from vendors about specific software supply chain security controls.
“Software is increasingly composed of, or reliant upon, libraries created by third-party development teams,” the guide states. “These libraries might be open source, commercial, or third-party contracted, and each team may itself create their libraries using any combination of open source, commercial, or third-party contracted libraries. The lack of visibility into the design, development, and implementation decisions made by third-party teams poses risk to all software.”
The guidance also includes a lengthy description of software development controls, as well as software deployment controls and vulnerability management processes.
Improving the security of the government’s software supply chain is a key component of President Joe Biden’s May 2021 cybersecurity executive order. Biden issued the EO after Russian hackers breached the networks of multiple federal agencies through enterprise software supplier SolarWinds.
The Federal Acquisition Regulatory Council is working on a highly anticipated software security rule. Once finalized, it will require government software vendors to comply with specific secure software development requirements. A July 26 update from the FAR council shows that officials are currently revising a draft version of the rule.
CISA today also named Lisa Einstein to serve as the agency’s first chief artificial intelligence officer. Einstein has already been leading the agency’s AI efforts over the past year as a senior advisor. She also served as executive director of CISA’s Cybersecurity Advisory Committee.
“I care deeply about CISA’s mission – if we succeed, the critical systems that Americans rely on every day will become safer, more reliable, and more capable,” Einstein said in a statement. “AI tools could accelerate our progress. But we will only reap their benefits and avoid harms from their misapplication or abuse if we all work together to prioritize safety, security, and trustworthiness in the development and deployment of AI tools.”
CISA plays a key role in the Biden administration’s AI efforts. Biden’s AI executive order directed CISA to lead an evaluation of the risks of using AI in critical infrastructure sectors.
Earlier this week, CISA also reported on the results of an exercise it ran involving AI use for vulnerability detection. The agency said that while current AI systems can enhance existing cybersecurity tools for detecting bugs in software, they can’t completely replace them.
“In some cases, the amount of time needed for analysts to learn how to use the new capabilities is substantial and the incremental improvement gained may be negligible,” CISA stated in its findings. “In some cases, AI tools can be unpredictable in ways that are difficult to troubleshoot.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED