The selection of all procured software includes consideration of the vendor’s secure software development practices
Context and Guidance: This practice extends the architectural tactics for selection of procured software noted at MIL1. This practice requires that the organisation consider the software development practices of vendors for all procured software. The organisation may specify secure design and coding practices from vendors such as those identified in established standards including the NIST Secure Software Development Framework (SSDF), Building Security In Maturity Model (BSIMM), and Open Web Application Security Project (OWASP). Additional consideration should be given to high priority suppliers (THIRD-PARTIES-1c) because they supply, maintain, or operate critical software components that are essential to the operation of the function. The definition of a critical software component may vary widely depending on industry or critical infrastructure sector and may be informed by commonly used frameworks or control sets. For example, NIST provides a definition of critical software under Executive Order 14028 that some organisations may be required to adopt. This activity is related to the cybersecurity architecture activities associated with selecting vendors based on their secure software development practices (THIRD-PARTIES-2h and ARCHITECTURE-4b).
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ARCHITECTURE-4b, ARCHITECTURE-4e, ARCHITECTURE-4g, ARCHITECTURE-4h, ARCHITECTURE-5h.