Press Release

CISA Unveils Tool to Boost Procurement of Software Supply Chain Security

Interactive Web Tool Streamlines Risk-Informed Software Acquisition

Released

August 26, 2025

Related topics:

Cybersecurity Best Practices, Information and Communications Technology Supply Chain Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Software Acquisition Guide: Supplier Response Web Tool, a no-cost, interactive resource designed to empower information technology (IT) and industry decision makers, procurement professionals and software suppliers strengthen cybersecurity practices throughout the software procurement lifecycle.

The Web Tool builds on the “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle”, offering a streamlined, digital experience that simplifies how users assess software assurance and supplier risk.

“This tool demonstrates CISA’s commitment to offering practical, free solutions for smarter, more secure software procurement,” said CISA Director of Public Affairs, Marci McCarthy. “Transforming the Software Acquisition Guide into an interactive format simplifies integrating cybersecurity into every step of procurement.”

The Web Tool supports secure-by-design and secure-by-default principles by:

Breaking the Guide into manageable, adaptive sections based on user input
Helping users focus on the most relevant questions for their acquisition context
Enabling exportable summaries that can be shared with CISOs, CIOs, and other key decision-makers
Supporting stronger due diligence and more secure outcomes across procurement efforts

Whether evaluating a single product or managing a complex acquisition, the Web Tool empowers users to make informed, risk-aware decisions that align with federal cybersecurity guidance and best practices.

This release is part of CISA’s broader effort to strengthen software supply chain resilience and equip stakeholders with modern tools that address today’s evolving cyber. CISA continues to prioritize the development of practical, no-cost digital solutions that help organizations of all sizes integrate cybersecurity into their procurement processes.

The Software Acquisition Guide and its accompanying spreadsheet have already reached over 10,000 users and been downloaded more than 4,000 times, reflecting strong demand across federal, state, and local governments, as well as small and mid-sized businesses.

To learn more, visit: Information and Communications Technology Supply Chain Security.

About CISA

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram

CISA Unveils Tool to Boost Procurement of Software Supply Chain Security

CISA, FBI, NSA and International Partners Issue Advisory to Mitigate Apache Log4J Vulnerabilities

CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Apache Log4J Vulnerabilities

Statement from CISA Director Easterly on “Log4j” Vulnerability

CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products

CISA Unveils Tool to Boost Procurement of Software Supply Chain Security

Related Articles

CISA, FBI, NSA and International Partners Issue Advisory to Mitigate Apache Log4J Vulnerabilities

CISA Issues Emergency Directive Requiring Federal Agencies to Mitigate Apache Log4J Vulnerabilities

Statement from CISA Director Easterly on “Log4j” Vulnerability

CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products