It's been a lot of work and today CISA crossed the finish line by announcing the Software Acquisition Guide giving consumers the help they need to identify and verify trustworthy products based on "Secure by Design" principles. Always remember;
Risks always exist, but trust must be earned and awarded.â„¢
A risk score tells us what we already know, that risks exist. Get the TRUST SCORE!
Now, software producers will know what to do to create "Secure by Design" products and software consumers will know how to check that products are "Secure by Design" before buying and installing software products. The original advice offered to software suppliers to prepare to meet OMB M-22-18 requirements has been updated to reference these new CISA materials.
Radical transparency has begun, consumers no longer have to blindly trust software - we can check that a software product is "Secure by Design" before buying and installing a product, thanks to CISA's Software Acquisition Guidance Documents.
Consumers should send the CISA Software Assurance Guide spreadsheet to all of their vendors to complete, in order to ensure that products are following CISA "Secure by Design" practices and trustworthy enough to install in your ecosystem.
CISA makes it very easy for consumers to determine if a software vendor/product is trustworthy:
Step 1. Download CISA’s Software Assurance Guide spreadsheet: https://www.cisa.gov/sites/default/files/2024-08/PDM24064%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20Consumers%20Final-%2020240710_v19.xlsx
Step 2. Send the spreadsheet to your vendors, respectfully asking that vendors complete the spreadsheet and return it. There are only 19 top level questions for Vendors to answer.
Step 3. Evaluate the returned spreadsheets to determine which software vendors are following the internationally supported CISA Secure by Design principles and the prudent and practical guidance contained in CISA’s Software Acquisition Guide;
Step 4: Decide which vendors and products you’re willing to trust.
Â