Blog

The FBI, along with CISA, advises businesses and organizations to choose software suppliers that prioritize security from the development phase. This approach aims to create a safer software landscape.

To assist organizations, the FBI and CISA have released the ‘Secure by Demand Guide’. This document outlines how to evaluate software suppliers’ security practices during procurement.

The guide emphasizes the importance of both enterprise security (protecting a company’s infrastructure) and product security (delivering secure, attack-resistant software). It highlights that while compliance standards often focus on enterprise security, they should also address product security.

Organizations are encouraged to consider various security aspects when selecting a software supplier. Key questions include whether the supplier facilitates easy updates, offers default multi-factor authentication, avoids default passwords, provides logging capabilities, and has a clear vulnerability reporting policy.

The FBI and CISA recommend integrating product security evaluations throughout all stages of procurement—before, during, and after. This ensures a comprehensive assessment of a supplier’s commitment to security.

This guidance aims to enhance overall software security and help organizations make informed decisions when procuring software solutions.

Visit this CISA article for more information.