Work with Companies That Carry Multiple Software Product Lines
Software resellers that carry multiple product lines are incentivized to assist agencies, and provide a vendor-agnostic approach. Original equipment manufacturers, on the other hand, are inclined to tell agencies why their product is right and their competitors’ products are wrong.
In the same vein, small business partners and niche players tend to align themselves with specific OEMs such as Amazon Web Services, Microsoft or Splunk. When an agency turns to them with a security problem, those OEMs are always the answer — limiting flexibility.
Agencies need to start treating a lack of variety among software partners as a red flag. Resellers are more likely to offer frank feedback on the security of the software they offer, and agencies can apply their experience with previous federal customers. That’s only going to become more critical as cyberattacks evolve.
EXPLORE: Reduce supply chain cybersecurity risks with updated GSA standards.
Interagency Collaboration on Software Security Is Key
Only through collaboration can agencies understand what others are doing to ensure software security, as well as how successful others have been with different software packages. Unfortunately, that sort of collaboration doesn’t happen as frequently among civilian agencies as it does within the military.
Military branches are far more aware of what the others are doing with respect to software security, even if some of that collaboration is mandated. Part of that is because missions within the Department of Defense tend to overlap.
Civilian agencies, because they have more disparate missions, tend not to see as much value in sharing information on software best practices. The Department of Energy might not be as interested in what secure software the U.S. court system or U.S. Department of Agriculture is using.
LEARN MORE: Keep software supply chains secure with new federal guidance.
Look for Companies with Security Certifications
The International Organization for Standardization creates information security standards. ISO 27001, its formal certification for information security management systems, promotes a holistic approach to risk management and cyber resilience through the vetting of people, processes and tools.
A third-party ISO 27001 certification demonstrates that a company is committed and able to manage information securely and safely, affording it a competitive edge and its agency customers some peace of mind that the company actively works to reduce supply chain vulnerabilities.
Agencies can be confident that companies with such certifications have at least eliminated some vulnerabilities.
And while there’s currently no secure-by-design certification for OEMs to obtain, it’s fair for agencies to assume companies that are ISO 27001–certified would pursue one should it be made available. They’re clearly doing their due diligence.