The software security landscape is at an interesting juncture. As Jen Easterly, the former director of the Cybersecurity and Infrastructure Security Agency (CISA), pointed out, there is a lesson to be drawn from the automotive industry of the 1960s. Its approach to improving car safety by building better designs – including seatbelts, crumple zones, and reinforced frames – proved far more effective at saving lives than responding to accidents after they occurred.
Software providers need to take the same approach and deliver secure solutions by design, moving from reactive risk management to taking proactive accountability for tackling escalating cyber threats. That will require a clear understanding of the fragmented and overlapping nature of many of the industry standards, adopting innovative tools like Cyber Protection Level Agreements (CPLAs), and ensuring through-life service management.
Fragmented and overlapping standards
There have been a rapid expansion in the number of security frameworks across the world in recent years, including ISO 27001 (including ISO/IEC27034), NIST, OWASP, and the EU Cyber Resilience Act. Many organisations, often driven by regulatory, client or customer pressures, have tried to follow these standards. However, for those operating across multiple geographic jurisdictions, these overlapping and, at times, conflicting standards make it difficult to comply. When it comes to software procurement, many CISOs are struggling with supplier evaluation and worried about the likelihood of gaps in security.
Without a unified approach to standards, organisations risk exposure to vulnerabilities that exploit gaps. Supply chain attacks, like the SolarWinds Sunburst breach or the CrowdStrike software update incident, are reminders of what’s at stake: operational disruption, legal action, and damage to stakeholder trust. More consistent standards would not only mitigate these risks but simplify compliance.
What are CPLAs?
CPLAs offer a practical solution by formalising suppliers’ security commitments within procurement contracts. They provide a way to ensure that secure software suppliers are thinking about compliance with the many cyber security standards both current and future. Modelled on Service Level Agreements (SLAs), CPLAs define measurable standards, such as vulnerability assessments, patching timelines, and incident reporting protocols to create clear and enforceable obligations.
Ambiguity in supplier commitments often leads to preventable risks, but by specifying requirements drawn from the applicable standards and regulation, CPLAs create accountability. This prevents suppliers from cutting corners and ensures a consistent level of protection.
CPLAs should specify:
- Time-to-patch guarantees: Critical vulnerabilities patched within 72 hours.
- Software Bill of Materials (SBOM) transparency: Full disclosure of software components, including third-party libraries.
- Incident response KPIs: Defined recovery time objectives and reporting obligations for breaches.
- Lifecycle commitments: Ongoing updates and end-of-life transition plans.
By setting out clear, enforceable targets for their suppliers, organisations should see reductions in downtime, minimised attack vectors, and fewer incidents.
Through-life service management
Secure software procurement requires ongoing management. This can be achieved with through-life service management, which includes regular audits, vulnerability monitoring, and clearly defined end-of-life plans to manage security from acquisition to decommissioning. Without through-life management, organisations risk inheriting unsupported or insecure software, leading to operational vulnerabilities and escalating costs.
Building accountability into secure software procurement
These risks underline the need to embed security into procurement and make sure it is seen as a continuous process, not a one-off task. This starts by aligning procurement with long-term security goals and requiring vendors to demonstrate secure-by-design principles. CPLAs should be integrated into contracts and vendors’ SBOMs and secure development practices evaluated as part of the process.
At the point of service transition, software must be validated through rigorous testing, such as penetration tests. Once the service is then in operation, there needs to be monitoring of performance against CPLA metrics. All this should be accompanied by a focus on continual service improvement to leverage incident reviews to learn lessons for future contracts.
Embedding these principles puts organisations in a stronger position when negotiating with suppliers.
Leveraging AI to consolidate standards
Artificial intelligence (AI) can also play a pivotal role in navigating this fragmented security landscape. Current processes for assessing and harmonising standards are manual, inconsistent, and error prone. AI tools equipped with natural language processing can map overlaps between standards, creating unified requirements that are traceable to the original frameworks, saving time for procurement teams. Emerging real-time compliance monitoring tools have the potential to enforce security obligations automatically, reducing human error and increasing efficiency.
Collaboration: A path to harmonised standards
While CPLAs and AI tools offer internal solutions, systemic change requires collaboration. Buyer consortia and regulatory alignment, as seen with the EU Cyber Resilience Act, can establish universal security baselines.
This kind of collaboration reduces duplication, streamlines compliance, and lowers costs for suppliers and buyers alike. Universal standards create a level playing field, making it easier for organisations to identify secure and reliable vendors.
Next steps for CISOs and procurement leaders: Conclusion
Secure software procurement in 2025 is vital. By unifying fragmented standards, enforcing supplier accountability through CPLAs, and adopting through-life service management, organisations can mitigate risks and improve resilience. The stakes are high, but so are the opportunities. Acting decisively now can protect organisations from cyber threats and reshape the software industry into one that prioritises security as much as innovation.
Robert Campbell, is a cyber security expert at PA Consulting