- Posted May 09, 2024
- Technical Advisories
The NCSC has joined our international partners the Australian Cyber Security Centre (ACSC)(external link), the United States Cybersecurity Infrastructure and Security Agency (CISA)(external link), the Canadian Centre for Cyber Security (CCCS)(external link), and the United Kingdom’s National Cyber Security Centre (NCSC-UK)(external link) in publishing joint guidance that provides recommendations for choosing secure and verifiable technologies.
When an organisation has determined a need to procure a digital product or service, it must consider whether the product or service is secure, and that security will be maintained throughout its specified lifecycle. Proactive integration of security considerations into the procurement process can assist in managing and significantly mitigating risks and reducing costs.
While procuring organisations should endeavour to ask as many of the questions recommended in this paper as possible, it may take time for manufacturers to adapt their behaviours and practices to answer all of these questions. Ultimately, procuring organisations must ensure they have gathered sufficient information to make an informed decision.
The joint guidance is designed to inform organisations of secure-by-design considerations for the procurement of digital products and services, resulting in better-informed assessments and decisions. The guidance also informs manufacturers of secure-by-design considerations for digital products and services, resulting in increased development of secure technologies. It provides manufacturers with key security questions and expectations they can anticipate from their customers.
This guidance is not a checklist and should not be understood to provide absolute or perfect digital procurement outcomes. Rather, it is designed to assist procuring organisations to make informed, risk-based decisions within their own operational context. Every organisation is unique in its structure and approach to procurement, and as such, every item in this paper may not be relevant. Additionally, organisations may need to take other items into consideration that are not covered in this paper, that may be unique to the organisation itself, or industry or region in which it operates.