Acquisition Security Framework (ASF): Enhancing Cybersecurity in Software Development

In early 2024, the Software Engineering Institute (SEI) introduced a pivotal set of practices known as the Acquisition Security Framework (ASF). This initiative, titled "Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk (Expanded Set of Practices)," is designed to establish best practices for developing and maintaining secure, resilient systems throughout their entire lifecycle.

As industries and governments increasingly depend on software for critical systems, the complexity of these systems has grown significantly. This complexity often leads to an extensive supply chain of components, each presenting its own security and resilience challenges. Traditionally, cybersecurity measures are considered only after deployment, making them harder to implement and less effective.

The SEI advocates for a "shift-left" approach, which involves integrating security measures early in the software development and acquisition process. The ASF formalizes these best practices, providing comprehensive guidance for stakeholders, including program managers and operational personnel. By embedding security and resilience into the acquisition, development, and deployment processes, the ASF aims to ensure systems are secure by design.

Framework Structure and Objectives

The ASF categorizes over 330 practices into six key areas: Program Management, Engineering Lifecycle, Supplier Dependency Management, Support, Assessment and Compliance, and Process Management. This framework acts as a roadmap for embedding security and resilience into systems from the beginning, rather than adding them as an afterthought post-deployment.

One of the ASF's main objectives is to improve communication among all stakeholders involved in a software project. Carol Woody, a coauthor of the ASF, notes that effective security is achieved through the integration of various disciplines, including engineering, cybersecurity, and operations. The ASF fosters proactive dialogue and provides a common language for discussing system security and resilience.

Collaborative Approach to Security

Chris Alberts, another ASF coauthor, stresses the importance of dismantling silos and incorporating diverse perspectives into a collaborative model for building resilient software. This approach is consistent with SEI's historical frameworks, such as the Capability Maturity Model Integration (CMMI) and the CERT Resilience Management Model (CERT-RMM).

As computing environments become more complex with the rise of cloud computing and systems of systems, the need for integrated cybersecurity and supply chain risk management has increased. Government software programs, especially those involving weapons systems, face significant security challenges, highlighting the importance of resilience.

Implementation and Future Directions

The ASF provides a flexible framework that can be customized to address specific software challenges. Its comprehensive coverage of the lifecycle allows it to be adapted for various security needs, such as Software Bill of Materials (SBOMs) and secure coding practices. The SEI plans to pilot the ASF within an acquisition program, complementing other system security initiatives in measurement, software assurance, and zero trust assurance.

Michael Bandor, ASF coauthor, underscores the ASF's role in making software security and resilience a collaborative effort. By offering a formal method for integrating security and resilience into every phase of the lifecycle, the ASF ensures that these critical elements are addressed at the appropriate levels of investment.