Transnational cybersecurity agencies release guidance on secure procurement of digital products, services
Global cybersecurity agencies published Thursday a guidance to provide organizations with secure by design considerations when procuring digital products and services. The document contains a range of internal and external considerations and offers sample questions to leverage at each stage of the procurement process. Additionally, the guidance informs manufacturers on steps they should be taking to align their development processes to secure by design principles and practices.
Titled ‘Secure by Design Choosing Secure and Verifiable Technologies,’ the guidance from the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), in collaboration with CISA, the Canadian Centre for Cyber Security (CCCS), the UK’s National Cyber Security Centre (NCSC-UK), and the New Zealand National Cyber Security Centre (NCSC-NZ) seeks to assist with making secure and informed choices when procuring digital products and services. Software manufacturers are also encouraged to incorporate the secure by design principles and practices found in the guidance.
The guidance emphasizes Secure-by-design as a proactive security approach for software manufacturers, aligning cybersecurity goals throughout the organization. This strategy involves considering cyber threats from the start to implement mitigations through intentional design, development, architecture, and security measures. The core value is to safeguard user privacy and data by creating digital products with fewer vulnerabilities.
Secure-by-default refers to products that are secure ‘out of the box’ with little to no additional security setup or configuration required upon deployment. It means security measures that protect against the most prevalent threats are built into a product or service ‘by default’ at no additional cost to the consumer. Examples of secure-by-default features include multi-factor authentication, audit capabilities, security logging. and default configuration settings set at their most secure values.
Manufacturers should make consumers aware of the known risks that may be realized if deviations from the default configurations are made, and the increase in likelihood or impact from a compromise that could occur unless other security mitigations are implemented.
Understanding these principles helps manufacturers produce secure digital products, aiding organizations in making informed choices. Investing in secure products can reduce operating costs, improve profitability, and enhance organizational reputation, fostering long-term corporate value.
The guidance is aimed at organizations that procure and utilize digital products and services and are commonly referred to as procuring organizations, purchasers, consumers, customers, and manufacturers of digital products and services.
It has been designed to inform organizations of secure-by-design considerations for the procurement of digital products and services, resulting in better-informed assessments and decisions. It also intends to inform manufacturers of secure-by-design considerations for digital products and services, resulting in increased development of secure technologies. It provides manufacturers with key security questions and expectations they can anticipate from their customers.
The guidance is broken down into two sections – external procurement considerations and internal procurement considerations.
The external considerations provided aim to guide organizations in making secure and informed purchasing decisions for products and services. The two-staged approach of pre-purchase and post-purchase assessment helps evaluate the baseline security of technology and its security maintenance throughout its lifecycle. If risks exceed acceptable tolerance levels, organizations should implement mitigations or explore alternative options with lower risk.
These considerations are not exhaustive and organizations may need to address additional factors based on their specific circumstances. Manufacturers can utilize this guidance to equip procuring organizations with the necessary information for making well-informed decisions.
The guidance identified that procuring organizations must establish, document, and understand the predetermined security requirements they need in a product or service. This ensures that products or services being procured can be appropriately evaluated against the organization’s needs. Not all security requirements will be organization-specific. Organizations may be bound by additional requirements under legislation/regulations.
Purchasers should consider security controls that prevent data from becoming compromised such as tokenization to replace sensitive data, encryption of data (not requiring processing and using an approved encryption method relevant to the purchaser’s jurisdiction), and protection of the decryption key.
Manufacturers will most likely have existing suppliers and supply chains on which they depend. The risks associated with a manufacturer’s supply chain are inherited risks to the procuring organization. Accountability resides with the procuring organization, throughout the lifecycle of a product, to ensure that the supply chain of the preferred manufacturer aligns with the procuring organization’s expectations for security and availability, and any risks do not exceed acceptable tolerances. Manufacturers should have a supply chain risk management (SCRM) plan in place to assist in managing supply chain risks.
The guidance outlined that procuring organizations must have visibility of what organizational and customer data is shared and used by the manufacturer during the procurement process and during the use of the product or service. Procuring organizations will need to ensure that data protection security controls pertaining to the manufacturer are sufficient, and meet or exceed the same standard they set for themselves.
It also highlighted that manufacturers must remain vigilant of geopolitical risks that could impact their products and services. Such risks may include trade disputes, changes to import/export laws and regulations, sanctions, and political instability, which could affect a manufacturer’s supply chain, security, and business operation.
In contrast, the internal procurement considerations when evaluating the procurement of a product or service, the purchasing organization should assess both the manufacturer and conduct an internal assessment across three stages: pre-purchase, purchase, and post-purchase. If the risks associated with the chosen product or service surpass the organization’s risk tolerance, appropriate mitigations should be developed, or the procurement should be reconsidered for less risky alternatives. These considerations are not exhaustive, and organizations may need to consider additional factors based on their specific circumstances.
During the pre-purchase phase of self-assessment, the purchaser should be consulting with the following areas of their organization: senior management, policy, infrastructure and security, and the product owner. Each of these areas will have specific requirements and insights that will ultimately determine if the product or service is suitable and of low enough risk for the organization to purchase.
During the purchasing phase of self-assessment, the purchaser should engage with key areas of their organization, including senior management, system administration, infrastructure and security, and the product owner. Each of these departments will offer unique requirements and insights that must be considered before selecting and implementing the final product.
During the post-purchase phase of self-assessment, the purchaser should be consulting with the following areas of their organization: senior management, system administration, infrastructure and security, and the product owner. Each of these areas will have specific requirements and insights that will need to be addressed during the ongoing administration and management of a product.
The U.S. CISA announced on Wednesday that 68 software manufacturers have voluntarily committed to its Secure by Design pledge. The initiative aims to enhance product security by incorporating security measures during the design phase. By participating in the pledge, these manufacturers are dedicated to working towards the outlined goals. The Secure by Design pledge represents a significant advancement in CISA’s initiative to promote secure product design.
Related
