Accession Number:



Acquisition Security Framework (ASF): Integration of Supply Chain Risk Management Across the DevSecOps Lifecycle

Descriptive Note:

[Technical Report, Technical Paper]

Corporate Author:


Report Date:


Pagination or Media Count:



Supply chain cyber risks stem from many organizational dependencies - in particular, processing, transmitting, and storing data information technology and communications technology. These risks are broad, significant, and growing as outsourcing options expand. Important mission capabilities can be undermined by an adversarys cyber-attack on third parties, even when the organization does not explicitly contract for technology. Virtually all products or services an organization acquires are supported by or integrate with information technology that includes third-party componentsservices. Practices critical to monitoring and managing these risks are scattered across the organization, resulting in inconsistencies, gaps, and slow response to disruptions. The Acquisition Security Framework ASF contains leading practices to support programs acquiringbuilding a secure, resilient software-reliant system to manage these risks. It defines the organizational roles that must effectively collaborate to avoid gaps and inconsistencies. It also establishes how an organization should ensure effective supply chain risk management that supports its mission and objectives. The framework contains proven, effective goals and leading practices, and it is consistent with supply chain risk management guidelines from the International Organization for Standardization ISO, National Institute of Standards and Technology NIST, and Department of Homeland Security DHS.

Subject Categories:

  • Cybernetics
  • Information Science
  • Administration and Management

Distribution Statement:

[A, Approved For Public Release]