Software Acquisition Guide for Government Enterprise Consumers (Y22a)
Many cyberattacks have exploited vulnerabilities and weaknesses in software and within software supply chains; an issue that spans both proprietary and open-source software which impacts both private sector and government enterprises. Customers and mission owners, as often represented by their acquisition and procurement organizations, may use the guidance in Software Acquisition Guide as a basis to describe, assess, and measure suppliers‚ cybersecurity practices relative to the software life cycle and CISA Secure by Design principles without requiring that acquisition staff to become cybersecurity experts. This Guide covers software development practices, supply chains, deployment, and vulnerability management phases of software ownership.