search menu icon-carat-right cmu-wordmark

Secure Acquisition Curriculum

January 2020 Educational Material

This course covers how to identify, validate, and resolve supply-chain issues that can occur when acquiring commercial off-the-shelf and custom software solutions.

Abstract

This course examines the practices of secure acquisition, which refers to a management and technical discipline that ensures the integrity of the systems and networks that an organization purchases. It does so by identifying all purchasing risks and single points of failure and providing mitigations that sufficiently satisfy all stakeholders in the supply chain. Secure acquisition involves a strategic, enterprise-level planning and control process, and many practitioners consider it to be a function of generic risk management and technical assurance. However, because of the multifaceted environment in which it operates, secure acquisition involves a much more comprehensive set of basic activities than simple software assurance. Mitigation development and a deployment of a secure acquisition process involve a range of academic disciplines from governance to specification and analysis, legal and regulatory compliance, knowledge management, and testing. Organizations typically establish acquisition assurance at the following three levels: strategy, project infrastructure, and individual product assurance. This course examines all three of these approaches for establishing acquisition assurance from a top-down perspective.