Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
• Technical Note
Publisher
Software Engineering Institute
CMU/SEI Report Number
CMU/SEI-2022-TN-003DOI (Digital Object Identifier)
10.1184/R1/21357627Topic or Tag
Abstract
The Acquisition Security Framework (ASF) is a collection of leading practices for building and operating secure and resilient software-reliant systems across the systems lifecycle. It enables programs to evaluate risks and gaps in their processes for acquiring, engineering, and deploying secure software-reliant systems and provides programs more insight and control over their supply chains. The ASF provides a roadmap for building security and resilience into a system rather than “bolting them on” after deployment. The framework is designed to help programs coordinate the management of engineering and supply chain risks across the many components of a system, including hardware, network interfaces, software interfaces, and mission capabilities. ASF practices promote proactive dialogue across all program and supplier teams, helping to integrate communications channels and facilitate information sharing. The framework is consistent with cybersecurity engineering, supply chain management, and risk management guidance from the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Department of Homeland Security (DHS). This report presents an overview of the ASF and its development status. It also includes a snapshot of the practices that have been developed so far and outlines a plan for completing the ASF body of work.
Part of a Collection
Acquisition Security Framework (ASF) Collection
Cite This Technical Note
Alberts, C., Bandor, M., Wallen, C., & Woody, C. (2022, November 11). Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk. (Technical Note CMU/SEI-2022-TN-003). Retrieved November 2, 2024, from https://doi.org/10.1184/R1/21357627.
@techreport{alberts_2022,
author={Alberts, Christopher and Bandor, Michael and Wallen, Charles and Woody, Carol},
title={Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk},
month={{Nov},
year={{2022},
number={{CMU/SEI-2022-TN-003},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/21357627},
note={Accessed: 2024-Nov-2}
}
Alberts, Christopher, Michael Bandor, Charles Wallen, and Carol Woody. "Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk." (CMU/SEI-2022-TN-003). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, November 11, 2022. https://doi.org/10.1184/R1/21357627.
C. Alberts, M. Bandor, C. Wallen, and C. Woody, "Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2022-TN-003, 11-Nov-2022 [Online]. Available: https://doi.org/10.1184/R1/21357627. [Accessed: 2-Nov-2024].
Alberts, Christopher, Michael Bandor, Charles Wallen, and Carol Woody. "Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk." (Technical Note CMU/SEI-2022-TN-003). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 11 Nov. 2022. https://doi.org/10.1184/R1/21357627. Accessed 2 Nov. 2024.
Alberts, Christopher; Bandor, Michael; Wallen, Charles; & Woody, Carol. Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk. CMU/SEI-2022-TN-003. Software Engineering Institute. 2022. https://doi.org/10.1184/R1/21357627