How to choose secure, verifiable technologies?
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has published a guidance document titled Choosing Secure and Verifiable Technologies, compiled to assist organizations in making informed decisions when procuring software (proprietary or open source), hardware (e.g., IoT devices), and cloud services (SaaS, MSP services).
Digital supply chain threat environment (Source: Australian Cyber Security Centre)
It’s aimed at senior executives, cybersecurity specialists, risk advisers, procurement professionals, as well as manufacturers of digital products and services.
Its goal is to improve decision-making by providing actionable advice on assessing and managing risks throughout the technology lifecycle.
It offers advice on:
- Understanding risks in technology procurement. It offers insight into supply chain attack vectors and evolving cyber threats, and offers guidance on pre-purchase and post-purchase risk management strategies.
- External procurement considerations. It outlines best practices for evaluating manufacturers’ transparency, attestations, and adherence to secure-by-design principles, and emphasizes threat modeling, security certifications, and ensuring product interoperability.
- Internal organizational assessments. Steps to align procurement decisions with internal risk thresholds, policies, and security infrastructure.
- Secure-by-design and secure-by-default. It provides technology manufacturers advice and guidance on developing products with a secure-by-design and secure-by-default strategy in mind, and offers guidelines for product security validation.
Organizations are encouraged to integrate the following practices:
- Conduct thorough pre-purchase evaluations, leveraging the document’s questions and criteria for assessing manufacturer transparency, compliance, and risk tolerance.
- Utilize the guidance to design internal policies and procurement strategies that emphasize lifecycle security, incident management, and data sovereignty.
- Refer to supplementary resources and standards listed within the guidance for in-depth technical support.
This document is not a one-size-fits-all checklist but a flexible framework adaptable to the unique needs of each organization.
The publication is the result of a partnership between ASD’s ACSC, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (CCCS), the United Kingdom’s National Cyber Security Centre (NCSC-UK), New Zealand’s NCSC, and South Korea’s National Intelligence Service (NIS).