Software Engineering Institute

February 15, 2024—The Software Engineering Institute (SEI) recently released the full set of practices for the Acquisition Security Framework (ASF). This month’s publication of Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk (Expanded Set of Practices) completes the set of “leading practices for building and operating secure and resilient systems across the systems lifecycle,” according to the technical note.

Software has become more crucial to mission-critical systems in both industry and government. But as software systems become more complex, developers and acquirers inherit an ever-growing supply chain of components as well as their security and resilience risks. Too often, cost and schedule concerns push off cybersecurity until after deployment, when it is far more difficult and less effective to mitigate the risks.

The SEI has long advocated the so-called “shift-left” approach to security, or building security into early phases of the software system development and acquisition lifecycle. The ASF formalizes cross-lifecycle best practices for acquiring secure systems and arranges them into comprehensive, actionable guidance for stakeholders from program managers to operational personnel. These practices tightly couple security and resilience into the ways systems are acquired, built, and fielded. The goal is to create software-intensive systems that are secure by design.

The complete ASF, which builds on an earlier partial release, organizes more than 330 practices into six areas: Program Management, Engineering Lifecycle, Supplier Dependency Management, Support, Assessment and Compliance, and Process Management. The resulting framework provides a roadmap for building security and resilience into a system rather than bolting them on after deployment.

Another important way the ASF aims to improve system cybersecurity is by facilitating communication among the stakeholders of a software project. “Programs often build systems in stovepipes—engineering, cybersecurity, operations, quality control—yet no one looks at how the pieces fit,” said Carol Woody, a coauthor of the ASF and a principal researcher in the SEI’s CERT Division. “Security comes from how they all work together.” The ASF practices promote proactive dialogue across all program and supplier teams and provide a common language for stakeholders to discuss system security and resilience.

“You can’t stay in your own silos,” said Chris Alberts, another ASF coauthor and an SEI CERT Division principal cybersecurity analyst. “We’re taking multiple perspectives and integrating them into a collaborative model of how to build resilient software.”

This engineering and process approach is one the SEI has taken in other software domains such as cybersecurity and artificial intelligence. The ASF is the latest in a legacy of SEI frameworks on software engineering, cybersecurity, and resilience: Capability Maturity Model Integration (CMMI); Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE); and the CERT Resilience Management Model (CERT-RMM), among others stretching back over four decades.

In that time, the software security and resilience problem space has expanded exponentially with the introduction of ever more complex computing environments, such as cloud computing and systems of systems. Government software programs, which acquire and integrate nearly all their software components, have felt the weight of modern security challenges most acutely. Weapons systems, in particular, require greater survivability and resilience.

These factors make it more important than ever to integrate cybersecurity and supply chain risk management into the software development and acquisition process. Using the ASF, software professionals can shift toward a more resilience-oriented perspective on security beginning early in the system lifecycle. “You still have to get it done within budget and on schedule,” said Charles Wallen, an information and infrastructure security analyst in the SEI’s CERT Division and one of the ASF’s coauthors. “But the tail can’t wag the dog.”

Because the ASF covers the entire lifecycle, its development and acquisition practices are more general than other, narrower security guidance. This level of abstraction allows users to tailor the framework and tackle a given tough software problem, just as the SEI’s ASF team did last year. As they were finalizing the set of practices, they adapted some into the Software Bill of Materials Framework: Leveraging SBOMs for Risk Reduction. Now that they have published the complete ASF, the team plans to pilot the framework within an acquisition program. This effort would run alongside other SEI system security pilots in the areas of measurement, software assurance, and zero trust assurance.

Different software stakeholders need narrowly focused cybersecurity frameworks, such as for SBOMs or secure coding, to address specific technical areas. But programs also need a way for the many teams supporting an acquisition to identify and influence the tradeoffs that security and resilience require in each phase of the lifecycle. The ASF provides a formal method for dynamically and collaboratively integrating security and resilience into the right places and at the right levels of investment, from the earliest stages of an acquisition to the end of the system lifecycle. As Michael Bandor, ASF coauthor and a senior software engineer in the SEI’s Software Solutions Division, put it, “This is how we make software security and resilience a team sport.”

Download Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk (Expanded Set of Practices) from the SEI Digital Library. For more information on the SEI’s research on security and resilience in software, including the seeds of the ASF from 2012, visit the Acquisition Security Framework Collection.