9 May 2024
The NCSC has joined the following international partners to publish joint guidance with recommendations for choosing secure and verifiable technologies:
- Australian Cyber Security Centre External Link ,
- United States Cybersecurity and Infrastructure Security Agency External Link ,
- Canadian Centre for Cyber Security External Link , and
- United Kingdom’s National Cyber Security Centre. External Link
When an organisation needs to procure a digital product or service, it must consider whether the product or service is secure — and whether its security will be maintained throughout its lifecycle. Building security considerations into the procurement process from the start can help manage and significantly mitigate risks, as well as reduce costs.
While procuring organisations should aim to ask as many of the questions recommended in this paper as possible, it may take time for manufacturers to fully align their practices to these expectations. Ultimately, organisations must gather enough information to make well-informed decisions.
The joint guidance helps organisations consider secure-by-design principles when procuring digital products and services — leading to more informed assessments and purchasing decisions. It also helps manufacturers understand what secure-by-design means for their products and services, and what security-related questions they can expect from customers.
This guidance is not a checklist, and it doesn’t guarantee perfect digital procurement outcomes. Instead, it’s designed to support organisations to make informed, risk-based decisions that suit their own operational context. Every organisation is unique in its structure and approach to procurement, so not every item in this paper will be relevant. Organisations may also need to consider other factors not covered in this paper, depending on their specific needs, industry, or region.