Reposted from CISA/DHS

Today, the Cybersecurity and Infrastructure Security Agency (CISA), Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC) and other U.S. and international partners published, Choosing Secure and Verifiable Technologies. This guide assists senior leaders in understanding the threat environment and highlights the areas in pre-and post-purchase procurement of digital products and services that should be considered. To help organizations understand the risks with technology procurement, this guide outlines several possible attack vectors or actions used by threat actors to compromise networks.  Along with these risks, recommended mitigation strategies are provided for organization to implement to protect their networks. With an understating of the risks and mitigation strategies, organizations will find themselves empowered to demand evidence from manufacturers that their software development process aligns to Secure by Demand principles. The guide provides several key indicators, consequences, and questions to ask manufacturers that help organizations assess whither the product is secure and verifiable or outside their risk tolerance. Procuring organizations must establish, document, and understand the predetermined security requirements they need in a product or service. Organizations are encouraged to review and implement the recommended actions into their procurement process. An executive summary is also provided.

 See Original Post