Modern organizations are becoming more reliant on complex, interdependent, integrated information systems. Key national industries are the critical infrastructure (CI) and include telecommunications, energy, healthcare, agriculture, and transportation. These CI industries are becoming more dependent on a critical cyber infrastructure (CCI) of computer information systems and networks, which are vital to the continuity of the economy. Organized attackers are increasing in number and power with more powerful computing resources that increasingly threaten CCI software systems. The motivations for attacks range from terrorism, fraud, identity theft, espionage, and political activism. Government and industry research have found that most cyber attacks exploited known vulnerabilities and common software programming errors. Software publisher vendors have been unable to agree or implement a secure coding standard for two main reasons. The on-technical consumer is ill informed to demand secure quality products. These current conditions perpetuate preventable risk. As a result, software vendors do not implement security unless specifically required by the customer, leaving many systems full of gaps. Since most of exploited vulnerabilities are preventable, the implementation of a minimum level of software quality is one of the key countermeasures for protecting the critical information infrastructure. Government and industry can improve the resilience of the CI in an increasingly interdependent network of information systems by protecting the CCI with stronger software assurance practices and policies and strengthening product liability laws and fines for non-compliance. In this paper we discuss the increasing software and market risks to CCI and address the strategies to protect the CCI through enhancing software assurance practices and policies.