Today, together with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and other international partners, CISA released the following guidance: “Secure-by-Design Choosing Secure and Verifiable Technologies.” This guidance was crafted to provide organizations with secure by design considerations when procuring digital products and services.

The guidance contains a range of internal and external considerations and offers sample questions to leverage at each stage of the procurement process. Additionally, the guidance informs manufacturers on steps they should be taking to align their development processes to secure by design principles and practices.

CISA and partners encourage all organizations to read the guidance to assist with making secure and informed choices when procuring digital products and services. Software manufacturers are also encouraged to incorporate the secure by design principles and practices found in the guidance. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage.

Analyst Comment (Jennifer Lyn Walker): How to select secure technology is an enduring challenge. At first glance, this guidance is a valuable resource for utilities at any stage of the procurement process. Members are encouraged to add this to existing Vendor Risk Management programs – or use it to start one. While NOT a checklist, the guidance does offer over 170 prudent questions (yes, I counted) for consideration across all facets of the procurement lifecycle.