search menu icon-carat-right cmu-wordmark

Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk

November 2022 Technical Note
Christopher J. Alberts, Michael S. Bandor, Charles M. Wallen, Carol Woody, PhD

This report provides an overview of the Acquisition Security Framework (ASF), a description of the practices developed thus far, and a plan for completing the ASF body of work.


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):
DOI: 10.1184/R1/21357627


The Acquisition Security Framework (ASF) is a collection of leading practices for building and operating secure and resilient software-reliant systems across the systems lifecycle. It enables programs to evaluate risks and gaps in their processes for acquiring, engineering, and deploying secure software-reliant systems and provides programs more insight and control over their supply chains. The ASF provides a roadmap for building security and resilience into a system rather than “bolting them on” after deployment. The framework is designed to help programs coordinate the management of engineering and supply chain risks across the many components of a system, including hardware, network interfaces, software interfaces, and mission capabilities. ASF practices promote proactive dialogue across all program and supplier teams, helping to integrate communications channels and facilitate information sharing. The framework is consistent with cybersecurity engineering, supply chain management, and risk management guidance from the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Department of Homeland Security (DHS). This report presents an overview of the ASF and its development status. It also includes a snapshot of the practices that have been developed so far and outlines a plan for completing the ASF body of work.