I'm hoping the new administration will continue to support the good work of CISA's NRMC Supply Chain Risk Management Task Force (ICT_SCRM) a public-private partnership that has delivered real solutions to help organizations of all sizes and types validate products as Secure by Design by verifying a product against the practices described in CISA's Software Acquisition Guide spreadsheet, https://cisa.gov/sag

Small government entities and other organizations now have an easy to use method to verify software products as following Secure by Design practices described in CISA's Software Acquisition Guide spreadsheet. A free to use, open-source product called CISASAGReader is now available for all to use to see a vendors responses to meeting Secure by Design practices.

A simple 4 step process can provide visibility to help identify trustworthy products and avoid buying risky products:

1. Download CISA's Software Acquisition Guide (SAG) spreadsheet available at https://cisa.gov/sag

2. Send the SAG spreadsheet to your vendors requesting that they complete the Governance Tab, at a minimum and return their spreadsheet to you for evaluation

3. Use the sag-reader tool to examine the returned spreadsheets

4. Determine which vendors/products are within your own risk appetite and tolerance based on sag-reader outputs.