Strengthening Software Acquisition Security: CISA Unveils Innovative Tool
In a bid to bolster cybersecurity practices in software procurement, the United States Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new tool – the Software Acquisition Guide: Supplier Response Web Tool. Launched in 2025, this free, interactive platform digitizes the existing Software Acquisition Guide to improve software procurement security.
The tool, designed to assist IT leaders, procurement officers, and software vendors, has been developed to make evaluating software assurance and supplier risk more accessible. It breaks the guide into smaller, adaptive sections tailored to user input, simplifying the integration of cybersecurity into every step of procurement.
CISA's Director of Public Affairs, Marci McCarthy, stated that the tool demonstrates the agency's commitment to offering practical, free solutions for smarter, more secure software procurement. The tool is part of CISA's ongoing effort to strengthen the nation's software supply chain resilience, addressing the growing demand for guidance in securing both proprietary and open-source software.
The tool is intended to assist with the assessment of supplier security practices throughout the software lifecycle, including supply chain, development, deployment, and vulnerability management. It highlights the most relevant questions for each acquisition context and generates exportable summaries for CISOs, CIOs, and other decision-makers.
The new tool comes as a response to the increasing concern over vulnerabilities in software supply chains. Many major cyber-attacks have exploited weaknesses in these chains, impacting both government and private sector organizations. By simplifying the process of securing software, the tool aims to help organizations of all sizes adopt more risk-aware, resilient procurement strategies.
Crucially, the tool does not require acquisition professionals to be cybersecurity experts. It incorporates secure-by-design and secure-by-default principles, ensuring that even those with limited cybersecurity knowledge can still make informed decisions about the software they acquire.
In addition to the new tool, the Cybersecurity and Infrastructure Security Agency has also launched the Secure by Demand Guide. Together, these resources help organizations better understand whether security is embedded in a vendor's development process.
The Software Acquisition Guide: Supplier Response Web Tool has already attracted over 10,000 users and been downloaded more than 4000 times, indicating a high level of interest from federal, state, and local governments as well as small and mid-sized businesses.
In summary, the Software Acquisition Guide: Supplier Response Web Tool is a significant step forward in enhancing cybersecurity practices throughout the software acquisition process. By making it easier for organizations to assess and manage supplier risk, the tool is helping to strengthen the nation's software supply chain resilience.
