search menu icon-carat-right cmu-wordmark

Acquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk

White Paper
The Acquisition Security Framework (ASF) contains practices that support programs acquiring/building a secure, resilient software-reliant system to manage risks.

Software Engineering Institute


Supply chain cyber risks stem from many organizational dependencies, including processing, transmitting, and storing data; information technology; and communications technology. These risks are broad, significant, and growing as outsourcing options expand. Important mission capabilities can be undermined by an adversary’s cyber attack on the organization’s contracted third parties, even when the organization does not explicitly contract for technology. Virtually all products and services an organization acquires are supported by or integrate with information technology that includes third-party components/services. Practices critical to monitoring and managing these risks can be scattered across the organization, resulting in inconsistencies, gaps, and slow response to disruptions. The Acquisition Security Framework (ASF) contains leading practices that support pro-grams acquiring/building a secure, resilient software-reliant system to manage these risks. It defines the organizational roles that must effectively collaborate to engineer systematic resilience processes to avoid gaps and inconsistencies. It also establishes how an organization should ensure it has effective supply chain risk management that supports its mission and objectives. The ASF contains proven and effective goals and leading practices, and it is consistent with supply chain risk management guide-lines from the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Department of Homeland Security (DHS).