[UPDATE September 14, 2025: CISA has released an online webtool to help product suppliers prepare to pass US Government Supply Chain Risk Management assessments for OMB M-22-18. Software consumer can also use this tool by asking their product suppliers to complete the online form and send their results to the consumer for evaluation; https://www.cisa.gov/software-acquisition-guide/tool ]
It's been a lot of work and today CISA crossed the finish line by announcing the Software Acquisition Guide giving consumers the help they need to identify and verify trustworthy products based on "Secure by Design" principles and best practice, contained in the Guide.
Always remember;
Risks always exist, but trust must be earned and awarded.â„¢
A risk score tells us what we already know, that risks exist. Get the TRUST SCORE!
Now, software producers will know what to do to create "Secure by Design" products and software consumers will know how to check that products are "Secure by Design" before buying and installing software products. The original advice offered to software suppliers to prepare to meet OMB M-22-18 requirements has been updated to reference these new CISA materials.
Radical transparency has begun, consumers no longer have to blindly trust software - we can check that a software product is "Secure by Design" before buying and installing a product, thanks to CISA's Software Acquisition Guidance Documents.
Consumers should send the CISA Software Assurance Guide spreadsheet to all of their vendors to complete, in order to ensure that products are following CISA "Secure by Design" practices and trustworthy enough to install in your ecosystem.
CISA makes it very easy for consumers to determine if a software vendor/product is trustworthy:
Step 1. Download CISA’s Software Assurance Guide spreadsheet: https://www.cisa.gov/sites/default/files/2024-08/PDM24064%20Software%20Acquisition%20Guide%20for%20Government%20Enterprise%20Consumers%20Final-%2020240710_v19.xlsx
Step 2. Send the spreadsheet to your vendors, respectfully asking that vendors complete the spreadsheet and return it. There are only 19 top level questions for Vendors to answer.
Step 3. Evaluate the returned spreadsheets to determine which software vendors are following the internationally supported CISA Secure by Design principles and the prudent and practical best practice guidance contained in CISA’s Software Acquisition Guide; A free open source tool is available for consumers to evaluate batches of the vendor provided SAG spreadsheets and store results of each vendor response evaluation; https://github.com/rjb4standards/CISASAGReader/blob/main/README.md
Step 4: Decide which vendors and products you’re willing to trust.
Â