Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
 · Posted in Intelligent Utility

Radical Transparency is now a reality for Secure by Design validation by small entities

  1.  

Business Cyber Guardian, with a lot of help from my friend, the very talented and proficient Joseph Wortmann, is pleased to announce availability of the open-source, free to use sag-reader app to help software consumers automate the processing of Cybersecurity and Infrastructure Security Agency Software Acquisition Guide spreadsheets submitted by software producers to verify products for CISA Secure by Design "radical transparency" principles and practices.

Now, even small businesses, government agencies (State, Federal, Local) and institutions, such as K-12, can use free, open-source tools to proactively check that a software product/vendor is following Secure by Design principles and practices for "radical transparency" based on CISA's Software Acquisition Guide practices spreadsheet for Secure by Design, to avoid from buying or installing risky software products.
The CISASAGReader (sag-reader) source code and installation instructions are available on GitHub at this location:
https://github.com/rjb4standards/CISASAGReader additional information is also available on Pypi, https://pypi.org/project/sag-reader/

A product SBOM and a living Vulnerability Disclosure Report (VDR) are also available within the CISASAGReader repository on GitHub. End users of the sag-reader software can always check on the latest vulnerability status of the sag-reader product by examining the online, living VDR at the link above, serving as a virtual CARFAX for software products.

The CISASAGReader product may also serve as a role model for what a Secure by Design solution should provide to satisfy the CISA Secure by Design transparency principle by providing consumers with artifacts to enable a comprehensive software risk assessment, such as an SBOM, living Vulnerability Disclosure Report (VDR), Vendor Response File (VRF) listing additional company information and SDLC policy details, and the CISA Software Acquisition Guide Spreadsheet completed by the software producer. The product is also listed in the SAG-CTR Trust Registry along with a Cybersecurity Label containing important information about the product, i.e. Support status and Commercial Status.

NOTE: Effective November 1, 2024 NIST has renamed Vulnerability Disclosure Report (VDR) to Vulnerability Advisory Report (VAR) to align more closely with IEC 29147 terminology, refer to NIST SP 800-161r1-upd1 and the NIST SBOM website for details; "Ensure that third-party suppliers continuously enrich SBOM data with a VAR." and "Acquiring entities should develop risk management and measurement capabilities to dynamically monitor the impacts of SBOM-related VARs."


Entities familiar with the Python programming language will find this app consistent with PyPi deployment and installation, a familiar environment to work with.
NOTE: sag-reader is an intelligent app that knows the Software Acquisition Guide spreadsheet questions to skip based on software producer responses. This eliminates any noise from questions that are not relevant, keeping the output to only the items that are relevant to software consumers interested in validating products as meeting Secure by Design practices, based on the CISA Software Acquisition Guide.

Now, it's even easier for software consumers to validate software products as following CISA Secure by Design principles and practices based on the CISA Software Acquisition Guide, before purchasing or installing a product, here are the steps to follow:

  1. Download the CISA Secure by Design Software Acquisition Guide spreadsheet from CISA.
  2. Send the CISA spreadsheet to your software vendors requesting that they complete the Governance tab, at a minimum
  3. After receiving the software suppliers spreadsheet, process it using the new sag-reader app to view the vendors responses
  4. Make a risk-based buying/installation decision based on the information displayed by sag-reader.

Done - now you know if a software product and vendor follow CISA Secure by Design practices based on the CISA Software Acquisition Guide spreadsheet supplied by the original software producer of a product.

Parties familiar with Python can install the sag-reader app using pip:

pip install sag-reader

Running sag-reader is very easy, just run sag-reader --help for details, here is an example usage:

sag-reader --include-descriptions VENDOR-SAG-SPREADSHEET-RESPONSE.xls

This will display the vendors response to each CISA SAG Spreadsheet question.

Try it out for yourself and see how easy it is to use: Download the CISASAGReader spreadsheet to a local folder,

https://github.com/rjb4standards/CISASAGReader/raw/refs/heads/main/CISASAGReader-spreadsheet.xlsx

run sag-reader to view Secure by Design spreadsheet responses for CISASAGReader:

sag-reader --include-descriptions CISASAGReader-spreadsheet.xlsx

Remember, risk always exists. You should always check to see if a product is trusted in the SAG-CTR Trust Registry, including sag-reader.

Parties that require a more comprehensive software product risk assessment, i.e. to meet SEC cybersecurity requirements, can use the Business Cyber Guardian™ application called Software Assurance Guardian Point Man™, SAG-PM™ to produce tamper-proof evidence of software product risk assessment results to present during audits.