Full Report
Transnational cybersecurity agencies released updates to a May ‘Secure by Design’ alert on Thursday, guiding organizations with secure... The post Cybersecurity agencies update ‘Secure by Design’ alert to counter threats, select secure and verifiable technologies appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Secure Procurement of Digital Products and Services
## Overview
These practices consolidate guidance from transnational cybersecurity agencies (CISA, ASD ACSC, CCCS, NCSC-UK, NCSC-NZ, NIS) aimed at organizations procuring digital products and services. The focus is on integrating 'Secure by Design' principles proactively into the procurement process to enhance resilience, manage supply chain risks, and reduce long-term mitigation costs.
## Key Recommendations
### Immediate Actions
1. **Demand Secure Defaults:** Explicitly require manufacturers to offer solutions that are 'secure-by-design' and 'secure-by-default' in all procurement requests.
2. **Initial Risk Screening:** Conduct low-cost security checks on prospective products/services and their manufacturers immediately prior to formal evaluation commitment.
3. **Review Current Environment:** Assess the organization's internal policies, procedures, and practices related to the intended product/service category *before* finalizing procurement decisions.
### Short-term Improvements (1-3 months)
1. **Mandate Security Evidence:** Require manufacturers to provide evidence of mitigations against known threat vectors, especially those affecting their supply chain ecosystem.
2. **Define Security SLAs:** Establish clear, measurable security requirements within Service Level Agreements (SLAs) regarding patching cadence, vulnerability disclosure, and incident response commitments.
3. **Establish Product Risk Tolerance:** Define and document the organization's acceptable risk tolerance level for specific digital products and services being considered for purchase.
### Long-term Strategy (3+ months)
1. **Integrate Security into Lifecycle:** Embed security assessments across the entire procurement lifecycle: pre-purchase, transition-to-service, and operational phases.
2. **Implement Supply Chain Vetting:** Develop a standardized process to evaluate the security posture of the manufacturer's suppliers (the extended supply chain).
3. **Formalize Off-Boarding:** Establish mandatory contractual clauses for end-of-life or service discontinuation, requiring manufacturers to provide proof of secure data destruction or transfer confirmation.
## Implementation Guidance
### For Small Organizations
- **Prioritize Critical Gaps:** Focus immediate effort on demanding 'secure-by-default' configurations and verifying that critical security features (like strong authentication) are enabled out-of-the-box.
- **Use Standard Checklists:** Leverage publicly available security questions/checklists from CISA/NCSC partners to guide initial vendor interviews, rather than building custom evaluation frameworks.
### For Medium Organizations
- **Formalize Assessment Stages:** Document the three-stage assessment process (pre-purchase, transition, operation) and assign clear ownership for completing security checks at each stage.
- **Contractual Review:** Ensure legal/procurement teams review contract clauses to embed security assurance, SLAs, and mandatory end-of-life procedures.
### For Large Enterprises
- **Develop Supply Chain Mapping:** Institute formal procedures to map and assess the security posture of Tier 1 and Tier 2 suppliers to the products being procured.
- **Establish Risk Threshold Process:** Create a formal process where any product assessment resulting in risks exceeding established tolerance triggers documented mitigation planning, procurement reconsideration, or executive sign-off for acceptance.
## Configuration Examples
*(No specific configuration variables were provided in the context, but the best practice dictates specific configurations should be defined through procurement requirements.)*
**Required Contractual/Configuration Stipulations:**
1. **Secure Configuration Documentation:** Manufacturers must supply detailed documentation outlining the secure configuration baseline used at the time of delivery.
2. **Mandatory Data Handling Policy:** Manufacturers must provide explicit guidance on data handling, storage, and secure deletion **both during and after** service termination.
## Compliance Alignment
- **NIST Risk Management Framework (RMF):** Aligning product selection and assessment with RMF stages (Identify, Protect, Detect, Respond, Recover).
- **ISO/IEC 27001:** Ensuring vendor security practices meet requirements related to supplier relationships and information security controls.
- **CIS Critical Security Controls (CSC):** Using CSC benchmarks when evaluating the security posture of the procured product/service configuration.
## Common Pitfalls to Avoid
- **Treating Security as Post-Sale:** Avoid believing that necessary security configurations or mitigations can be easily applied after purchase; security must be 'by design'.
- **Ignoring the Extended Supply Chain:** Focusing only on the direct vendor while neglecting potential vulnerabilities introduced by their upstream component suppliers.
- **Failing to Define Off-Boarding:** Procuring services without establishing clear, verifiable steps for data retrieval and secure termination/deletion by the manufacturer.
## Resources
- CISA/ASD ACSC Secure by Design Alert Guidance (General Reference for Joint Agency Alerts)
- Documentation related to secure technology procurement developed by partners (NCSC-UK, CCCS, etc.) to build evaluation question sets.