Cybersecurity requirements for suppliers and other third parties include secure software and secure product development requirements where appropriate
Context and Guidance: The organisation should have a standard process for setting secure software and product development requirements for third parties. For suppliers that will be developing software, for example, determine and specify what secure design and coding practices are acceptable, such as the NIST Secure Software Development Framework (SSDF), Building Security In Maturity Model (BSIMM), and Open Web Application Security Project (OWASP). Secure product development requirements might prohibit use of specific components with known cybersecurity issues. Additional consideration should be given to third parties that are considered by the organisation as high priority (THIRD-PARTIES-1c) because they supply, maintain, or operate critical software components that are essential to the operation of the function. The definition of a critical software component may vary widely depending on industry or critical infrastructure sector and may be informed by commonly used frameworks or control sets. For example, NIST provides a definition of critical software under Executive Order 14028 that some organisations may be required to adopt. This activity is related to the cybersecurity architecture activities associated with selecting vendors based on their secure software development practices (ARCHITECTURE-4b and ARCHITECTURE-4e).
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THIRD-PARTIES-2c, THIRD-PARTIES-2f, THIRD-PARTIES-2g, THIRD-PARTIES-2h.