Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle

The Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle product was developed in response to the core challenges of software assurance and cybersecurity transparency in the acquisition process, focusing primarily on software lifecycle activities. Importantly, the Software Acquisition Guide focuses on “Secure by Demand” elements by providing recommendations for agency personnel, including mission owners, contracting staff and requirements offices engage in more relevant discussions with their enterprise risk owners (such as CIOs and CISOs) and candidate suppliers.  The Software Acquisition Guide ensures that enhanced, risk-informed decisions can be made during the acquisition and procurement of software and cyber-physical products.

Many well-known attacks have exploited vulnerabilities and weaknesses in software and within software supply chains; an issue that spans both proprietary and open-source software and impacts both private sector and government enterprises. Acquisition and procurement organizations professionals can utilize the guidance in the Software Acquisition Guide as a basis to describe, assess, and measure suppliers’ security practices relative to the software life cycle without requiring that acquisition team members become cybersecurity experts. The Software Acquisition Guide builds on existing U.S. Government cybersecurity guidance to address four phases of software ownership: software supply chains, development practices, deployment, and vulnerability management.

It is important to note that CISA’s Secure by Demand Guide complements the Software Acquisition Guide by helping organizations acquiring software gain a more precise understanding of the software manufacturer’s approach to cybersecurity. It empowers users to evaluate whether Secure by Design is a foundational principle in the vendor’s development process, ensuring stronger security outcomes.

The accompanying Software Acquisition Guide: Supplier Response Web Tool was developed to make navigating the Software Acquisition Guide more efficient, focused, and actionable. Designed to break down the Software Acquisition Guide into manageable sections, the tool tailors your experience by prompting only the most relevant questions based on your previous responses. This adaptive approach helps users concentrate on what matters most for their specific acquisition context, saving time and improving clarity. 

Once completed, the tool allows users to export and print a customized document that summarizes responses. This output can be shared with an organization’s CISO, CIO, or other decision makers, enabling users to make more informed, risk aware decisions regarding software assurance and procurement. Whether users are evaluating a single product or overseeing a complex acquisition, the Web Tool supports better collaboration, stronger due diligence, and more secure outcomes.