Caveat Emptor is Latin for “Buyer Beware” and the concept is being applied to software procurement in order to avoid defective, risky software products, which serve a role in everyone’s daily life activities. Let’s start by understanding “what are the risks with a software product?”.
Software is being used across important functions that are supposed to keep humans safe from harm and help make everyday life better. Software is used to fly airplanes full of passengers, protect nuclear facilities from harmful events and help people with everyday life activities, like online banking and personal communications (i.e. cell phones). Software is everywhere and has become part of our critical path in life helping to maintain critical infrastructure functions affecting a large number of people, to personal health needs that help individuals manage their own healthcare, i.e. blood glucose monitors. We depend on software to be trustworthy, reliable, resilient and secure in performing its designated functions.
There are many examples of defective, vulnerable software that have resulted in disastrous, sometimes fatal results, such as Boeing 737 airplane crashes, travel disruptions and malicious activities such as malware, ransomware and theft. The risks with software are numerous and are present across the globe, even in outer space with satellites and other space craft being operated by software. There are many real-life cases in which software defects and vulnerabilities have impacted peoples lives, such as the United Healthcare debacle that prevented people from filling prescription medications to doctors’ offices not being paid for services performed, in addition to 190 Million stolen patient data records. It’s important to remember “Risk always exists”, but “trust does not always exist”, which is one of the reasons that caveat emptor has become a vital, yet uncommon, practice in software purchases and operations. Software risk can be fatal to people and disastrous to military operations, society at large, and impact business viability, reputation and trust.
Trust in software must be restored and that requires greater awareness into the ways in which software can be evaluated for risk and practical methods to determine its trustworthiness before buying a product and throughout the time software products are being used to perform important functions. Software is like food, it can go bad overnight or when new exploitable vulnerabilities become known. Risk always exists.
"As AI systems become more integrated into our lives,
we must build secure AI platforms that protect against adversarial
attacks and safeguard data integrity by following secure-by-design
principles. Additionally, we need to introduce the appropriate level of
governance in both development and usage to ensure trustworthy AI.
Antonio Neri, President and Chief Executive Officer,
Hewlett Packard Enterprise
One leader in this quest for buying trustworthy software has emerged and is providing a model for all to help identify secure, trustworthy software products. The United States National Aeronautics and Space Administration ( NASA ) has developed and implemented a process to identify trustworthy software products as part of procurement activities. Before a product is acquired and put to use it must pass a NASA risk assessment process.
NASA provides software product manufacturers with a comprehensive set of resources to help develop and maintain secure, trustworthy software products for NASA’s use. The entire set of resources provided by NASA are available on this site. The specific guidance regarding NASA’s risk assessment process and product expectations is described in this one document. Software suppliers and device manufacturers should carefully study the guidance provided by NASA in order to expedite the risk assessment approval process so that their products can be acquired and put to use by NASA.
Other government agencies and even private enterprises can use these NASA best practices for acquiring secure, trustworthy products to help improve their own procurement processes to determine which products are trustworthy and avoid from buying risky software products and devices. CISA hosted a webinar for State Procurement Officials on January 23, 2025 to understand CISA’s guidance to help identify secure, trustworthy software products, which are used by NASA in their product risk assessment process. A video of the CISA January 23 webinar should be posted within a couple of weeks. The NASA meeting video's are already available as links on the NASA resources page: (Meeting Recordings)
In summary, we know all too well from our own experiences that software defects and vulnerabilities can, and have, impacted our lives and in some cases have proven fatal. Methods to detect and avoid from purchasing risky software products have been created by CISA, NIST and NASA along with specific guidance on how to identify trustworthy software products and devices during procurement processes. The NASA process for software procurement is a model worthy of emulation by all people responsible for buying and using trustworthy software products and devices. Don’t be surprised to see updated FAR language, as recommended in Executive Order 14144, in the near future providing clearer guidance on US government software product procurement practices that look strikingly similar to the guidance provided by NASA. Notice that Executive Order 14144 was one of the few Executive Orders issued by President Biden that was retained by President Trump. This is further proof that cybersecurity transcends politics to keep Americans safe. Perhaps ONCD will help advance "radical transparency" by providing a "Trust Registry" of trusted products, per this FAR recommendation in EO 14144.
"(vi) For attestations that undergo validation, the Director of CISA shall inform the National Cyber Director, who shall publicly post the results, identifying the software providers and software version."
The need to provide consumers with visibility into the products which are trustworthy has never been greater now that known trusted channels like Amazon Web Services (AWS) are providing consumers access to known risky software products, like DeepSeek. A "Trust Registry" of known trusted/validated products, like the one recommended in Executive Order 14144 is needed now, more than ever. Godspeed CISA and ONCD in developing a "Trust Registry" of known trusted products, following Executive Order 14144 recommendations.
It's encouraging to me to see that "club house" thinking and behavior is replacing "Frat House" thinking and behavior in the selection process, where merit and capabilities takes precedence over subjective preferential treatment
"If software understanding challenges were addressed, mission owners and operators would have the ability to routinely ask mission-related questions of mission-relevant software and receive rigorous, reliable, rapid, and repeatable answers—during or after development. Further, this would provide mission owners and operators the ability to characterize mission risk from software based on technical evidence packages, prior to placing the software into service. In turn, this would usher justifiable confidence in software across national security and critical infrastructure. Finally, this would enormously benefit the U.S. national economy, bringing down lifecycle costs of software while engendering confidence in critical applications, freeing up resources to strengthen national security and ensure economic prosperity.
This future is challenging but possible. The technologies needed to analyze software to prevent or discover undesirable behavior rest upon technical foundations with decades of progress, such as formal methods and AI. Recent breakthroughs provide new opportunities to rapidly advance software understanding capabilities. A radically improved future for software understanding and technically informed mission risk is possible, if the nation consciously decides to undertake and commit to the journey."
#42 is the model for clubhouse thinking and behavior - put the best players on the field and publicly list the most trusted software products that have earned their "badge of trust" and have been placed in this ONCD public trust registry!
#42 is more than just a number!