CISA's guide helps bridge the gap between acquisition and IT, as the FAR Council works on a highly anticipated software security rule.