Acquisition Security Framework (ASF) Collection
• Collection
Publisher
Software Engineering Institute
Abstract
The Acquisition Security Framework (ASF) is a collection of leading practices for building and operating secure and resilient systems across the systems lifecycle. These practices enable programs to evaluate risks and gaps in their processes for acquiring, engineering, and deploying secure systems and to exercise more insight and control over their supply chains. The ASF provides a roadmap for building security/resilience into a system rather than “bolting them on” after deployment. ASF practices promote proactive dialogue across all program and supplier teams, helping to integrate communication channels and facilitate information sharing. The framework helps programs coordinate their management of engineering and supply chain risks across the many components of a system. These risks require ongoing monitoring and management across all phases of the systems lifecycle due to the dynamic nature of the threat environment and the rapid evolution of technologies. The ASF is consistent with cybersecurity engineering, supply chain management, and risk management guidance from the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Department of Homeland Security (DHS). This report builds on a previous report, Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk, and includes a full set of ASF practices.
Collection Items
Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk (Expanded Set of Practices)
• Technical Note
By Christopher J. Alberts, Michael S. Bandor, Charles M. Wallen, Carol Woody
This framework of practices helps programs coordinate their management of engineering and supply chain risks across the systems lifecycle.
ReadAddressing Supply Chain Risk and Resilience for Software-Reliant Systems
• Webcast
By Carol Woody, Charles M. Wallen
In this webcast, Carol Woody and Charles Wallen discuss the Acquisition Security Framework (ASF) and how the ASF provides a roadmap to help organizations build security and resilience into a …
WatchAsking the Right Questions to Coordinate Security in the Supply Chain
• Podcast
By Carol Woody
Carol Woody talks with Suzanne Miller about the SEI’s newly released Acquisition Security Framework, which helps programs coordinate the management of engineering and supply-chain risks across system components.
ListenAcquisition Security Framework (ASF)
• Presentation
By Software Engineering Institute
This presentation and collaboration conversation reviews the Acquisition Security Framework (ASF).
Learn MoreAn Acquisition Security Framework for Supply Chain Risk Management
• Blog Post
By Carol Woody
As Log4J and SolarWinds have proven, attacks on the software supply chain are increasingly frequent and devastating to both the private and public sector. The Department of Defense (DoD) and …
ReadAcquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
• Technical Note
By Christopher J. Alberts, Michael S. Bandor, Charles M. Wallen, Carol Woody
This report provides an overview of the Acquisition Security Framework (ASF), a description of the practices developed thus far, and a plan for completing the ASF body of work.
ReadAcquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk
• White Paper
By Christopher J. Alberts, Michael S. Bandor, Charles M. Wallen, Carol Woody
The Acquisition Security Framework (ASF) contains practices that support programs acquiring/building a secure, resilient software-reliant system to manage risks.
ReadAcquisition Security Framework (ASF): Informing Software Bill of Materials (SBOM) Use Cases and Risk Reduction
• Presentation
By Carol Woody
In this presentation, the author shows how organizations can connect SBOMs to acquisition and development to support improved system and software assurance.
Learn MoreAcquisition Security Framework (ASF): Informing Software Bill of Materials (SBOM) Use Cases and Risk Reduction
• Presentation
By Carol Woody
In this presentation, the author discusses how organizations can connect SBOMs to acquisition and development to support improved system and software assurance.
Learn MorePreview of Developing the Acquisition Security Framework (ASF) towards Integrating Supply Chain Risk Management into the Program Acquisition and Engineering Lifecycles
• Video
By Carol Woody
This short video provides an introduction to a research topic presented at the SEI Research Review 2022.
WatchBetter Manage Your Supply Chain
• Brochure
By Software Engineering Institute
This brochure describes the Acquisition Security Framework (ASF), which enables you to achieve a secure, resilient, and survivable supply chain.
Learn MoreApplying the SEI SBOM Framework
• Blog Post
By Carol Woody
The SEI SBOM Framework helps organizations use a software bill of materials (SBOM) for third-party software management. We created it, in part, in response to Executive Order (EO) 14028, Improving …
ReadThe SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain
• Blog Post
By Christopher J. Alberts Michael S. Bandor Charles M. Wallen Carol Woody
Recent events, such as those affecting SolarWinds and Log4j, demonstrate the scale of cybersecurity disruption that can result from a lack of vigilance when it comes to the management of …
ReadLeveraging Software Bill of Materials Practices for Risk Reduction
• Webcast
By Carol Woody, Charles M. Wallen, Michael S. Bandor
In this webcast, Charles Wallen, Carol Woody, and Michael Bandor discuss how organizations can connect Software Bill of Materials (SBOM) to acquisition and development.
WatchSoftware Bill of Materials Framework: Leveraging SBOMs for Risk Reduction
• White Paper
By Charles M. Wallen, Christopher J. Alberts, Michael S. Bandor, Carol Woody
This paper is a Software Bill of Materials (SBOM) Framework that is a starting point for expanding the use of SBOMs for managing software and systems risk.
Read