The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) recently released a comprehensive guidance document entitled “Choosing Secure and Verifiable Technologies,” aimed at assisting organizations in making informed decisions when procuring software, hardware, and cloud services.
The document, which targets senior executives, cybersecurity specialists, risk advisers, procurement professionals, and manufacturers of digital products and services, aims to enhance decision-making processes by providing practical advice on assessing and managing risks throughout the technology lifecycle.
One of the key aspects covered in the guidance is understanding the risks associated with technology procurement. It sheds light on supply chain attack vectors and evolving cyber threats, offering insights into pre-purchase and post-purchase risk management strategies. Additionally, the document emphasizes the importance of external procurement considerations, including evaluating manufacturers’ transparency, attestations, and adherence to secure-by-design principles. It also underscores the significance of threat modeling, security certifications, and ensuring product interoperability.
Internal organizational assessments are also addressed in the guidance, outlining steps to align procurement decisions with internal risk thresholds, policies, and security infrastructure. Furthermore, the document provides advice to technology manufacturers on developing products with a secure-by-design and secure-by-default strategy and offers guidelines for product security validation.
In order to implement the recommendations laid out in the guidance, organizations are encouraged to conduct thorough pre-purchase evaluations using the provided questions and criteria. They are also advised to design internal policies and procurement strategies that prioritize lifecycle security, incident management, and data sovereignty. Additionally, organizations are encouraged to refer to additional resources and standards listed in the guidance for further technical support.
It is important to note that the guidance document is not a one-size-fits-all checklist but rather a flexible framework that can be adapted to the specific needs of each organization. The publication is the result of a collaborative effort between ASD’s ACSC, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (CCCS), the United Kingdom’s National Cyber Security Centre (NCSC-UK), New Zealand’s NCSC, and South Korea’s National Intelligence Service (NIS).
By following the recommendations outlined in the guidance document, organizations can enhance their cybersecurity posture and make more informed decisions when procuring technology products and services. It serves as a valuable resource for those looking to mitigate risks and strengthen their overall security posture in an increasingly digital landscape.