A new Software Acquisition Guide: Supplier Response Web Tool has been released by the US Cybersecurity and Infrastructure Security Agency (CISA) to improve security in software procurement.
The free, interactive platform is designed to assist IT leaders, procurement officersand software vendors in strengthening cybersecurity practices throughout the acquisition process.
The tool builds on CISA’s Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle. By moving the guide into a digital format, CISA aims to make evaluating software assurance and supplier risk more accessible.
“This tool demonstrates CISA’s commitment to offering practical, free solutions for smarter, more secure software procurement,”said Marci McCarthy, CISA’s director of public affairs.
“Transforming the Software Acquisition Guide into an interactive format simplifies integrating cybersecurity into every step of procurement.”
Key Features of the Tool
The new web tool incorporates secure-by-design and secure-by-default principles by:
-
Breaking the guide into smaller, adaptive sections tailored to user input
-
Highlighting the most relevant questions for each acquisition context
-
Generating exportable summaries for CISOs, CIOsand other decision-makers
-
Supporting more informed due diligence across procurement efforts
The release comes amid rising concern over vulnerabilities in both proprietary and open-source software. CISA noted that many major cyber-attacks have exploited weaknesses in software supply chains, impacting both government and private sector organizations.
Growing Demand For Guidance
The original Software Acquisition Guide and its supporting spreadsheet have already attracted over 10,000 users and been downloaded more than 4000 times. Interest spans federal, state and local governments as well as small and mid-sized businesses seeking stronger security practices in procurement.
Notably, the web tool does not require acquisition professionals to be cybersecurity experts. Instead, it enables them to assess supplier security practices across the software lifecycle, from supply chain and development to deployment and vulnerability management.
The new resource is part of CISA’s ongoing effort to strengthen the nation’s software supply chain resilience. Alongside the Secure by Demand Guide, it helps organizations better understand whether security is embedded in a vendor’s development process.
By digitizing and simplifying the acquisition framework, CISA aims to help organizations of all sizes adopt more risk-aware, resilient procurement strategies.