search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk

Technical Note
By
This report provides an overview of the Acquisition Security Framework (ASF), a description of the practices developed thus far, and a plan for completing the ASF body of work.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2022-TN-003
DOI (Digital Object Identifier)
10.1184/R1/21357627
Subjects

Abstract

The Acquisition Security Framework (ASF) is a collection of leading practices for building and operating secure and resilient software-reliant systems across the systems lifecycle. It enables programs to evaluate risks and gaps in their processes for acquiring, engineering, and deploying secure software-reliant systems and provides programs more insight and control over their supply chains. The ASF provides a roadmap for building security and resilience into a system rather than “bolting them on” after deployment. The framework is designed to help programs coordinate the management of engineering and supply chain risks across the many components of a system, including hardware, network interfaces, software interfaces, and mission capabilities. ASF practices promote proactive dialogue across all program and supplier teams, helping to integrate communications channels and facilitate information sharing. The framework is consistent with cybersecurity engineering, supply chain management, and risk management guidance from the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Department of Homeland Security (DHS). This report presents an overview of the ASF and its development status. It also includes a snapshot of the practices that have been developed so far and outlines a plan for completing the ASF body of work.

SHARE
Download PDF
Part of a Collection

Acquisition Security Framework (ASF) Collection
Cite This Technical Note

Alberts, C., Bandor, M., Wallen, C., & Woody, C. (2022, November 11). Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk. (Technical Note CMU/SEI-2022-TN-003). Retrieved April 25, 2024, from https://doi.org/10.1184/R1/21357627.

@techreport{alberts_2022,
author={Alberts, Christopher and Bandor, Michael and Wallen, Charles and Woody, Carol},
title={Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk},
month={Nov},
year={2022},
number={CMU/SEI-2022-TN-003},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/21357627},
note={Accessed: 2024-Apr-25}
}

Alberts, Christopher, Michael Bandor, Charles Wallen, and Carol Woody. "Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk." (CMU/SEI-2022-TN-003). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, November 11, 2022. https://doi.org/10.1184/R1/21357627.

C. Alberts, M. Bandor, C. Wallen, and C. Woody, "Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2022-TN-003, 11-Nov-2022 [Online]. Available: https://doi.org/10.1184/R1/21357627. [Accessed: 25-Apr-2024].

Alberts, Christopher, Michael Bandor, Charles Wallen, and Carol Woody. "Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk." (Technical Note CMU/SEI-2022-TN-003). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 11 Nov. 2022. https://doi.org/10.1184/R1/21357627. Accessed 25 Apr. 2024.

Alberts, Christopher; Bandor, Michael; Wallen, Charles; & Woody, Carol. Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk. CMU/SEI-2022-TN-003. Software Engineering Institute. 2022. https://doi.org/10.1184/R1/21357627

Ask a question about this Technical Note