The purpose of this Procurement is to assist organisations (private and public) in the tendering and contracting of suppliers to (i) undertake information/cyber assurance assessments, (ii) identify appropriate, proportionate cyber security requirements, and (iii) seek assurances from bidding suppliers as to the extent to which they comply with these requirements, in a way that is aligned with the Guidance Note.

This part can be seen independently from the activities proposed under the heading of IIoTSBOM and the SBOM, but the suggestion is to include the SBOM as part of the procurement process.

Procurement refers to techniques, structured methods, and means used to streamline an organization’s tendering, purchasing, contracting, maintaining – overall procurement, vendor relations process and achieve desired results while saving cost, reducing time, and building win-win supplier relationships. Procurement can be direct, indirect, reactive, or proactive in nature.

Procurement is a series of processes that are essential to get products or services from requisition to purchase order and invoice approval. Procurement and purchasing differ slightly from each other.

Consider this being a process, where multiple parts of the organisation need to be involved. But also consider the CyberSecurity part as a shared responsibility between the customer / operator, the vendor(s), the system integrator, the cloud operator, the managed security services provider and any other partner that will be included in the operationalisation of the purchased goods and services.

While purchasing is the overarching process of obtaining necessary goods and services on behalf of an organisation, procurement describes the activities involved in obtaining them. The procurement process in an organisation is unique to its context and operations.

In this section we propose a couple of measures for organisations to consider and some documentation that can help in the support of this process when discussing with vendors.

A couple of steps that can be considered during the Procurement Process :

  1. prepare your procurement with your CyberSecurity teams, or prepare your purchasing – procurement teams on CyberSecurity
    1. Step 0: Needs Recognition
    2. Step 1: Purchase Requisition
    3. Step 2: Requisition review
    4. Step 3: Solicitation process
    5. Step 4: Evaluation and contract
    6. Step 5: Order management
    7. Step 6: Invoice approvals and disputes
    8. Step 7: Record Keeping
  2. consider the company policies and how they can be applied to the purchasing and procurement process
  3. inform your vendors about your CyberSecurity considerations and concerns, your CyberSecurity policies and your intention to include it in the purchasing / procurement process
  4. organise awareness and informative sessions and identify risks in discussion with the business drivers and production managers
  5. determine vendor maturity levels and assess the potential risk they or their products and services may cause, consider how to mitigate with the vendor and in your organisation
  6. ask the vendor to provide a CyberSecurity self assessment, on the basis of a questionnaire (Third Party Risk Assessment) – use the provided templates
  7. include in the request for information and request for quote / proposal an item to be completed on CyberSecurity, both on the process of production and CyberSecurity components of the product itself
  8. Tender and Contract Wording
    1. wording that can be used in contract notices and invitations to tender
    2. wording that can be used in contractual terms and conditions
  9. Suggest the use of a Security / Software Bill of Materials (SBOM) – similar to the device Bill of Materials
  10. if non-existent, allow the vendor to provide an SBOM within a reasonable timeframe – use the provided templates
  11. Cyber Implementation Plan – use the provided templates
  12. Integrate the SBOM as part of the CyberSecurity elements of the Procurement – use the provided templates

A couple of steps that can be considered as part of the Procurement but after the purchasing process :

  1. Manage and maintain the vendor – assess their CyberSecurity Posture
  2. Manage and maintain the product – services purchased – check the SBOM evolution
  3. Setup the incident management process
  4. Organise Cyber incident exercise and assess the impact
  5. Assure feedback loops and mitigation plans
  6. Agree upon reasonable time to mitigate / recover / update
  7. Discuss liabilities, costs related to incidents and costs to recover and direct participation by the vendors or manufacturers