CISA, U.S. and international partners release updated 'Secure by Design' principles
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), along with 17 U.S. and international partners, published an update to “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” that includes further detail on key principles, guidance, and is co-sealed by eight additional international cybersecurity agencies. CISA Director Jen Easterly will discuss the importance of this updated guidance and next steps during Singapore International Cyber Week.
Initially published in April 2023, this joint guidance urges software manufacturers to take urgent steps necessary to design, develop, and deliver products that are secure by design.
This updated guidance includes feedback received from hundreds of individuals, companies, and non-profits. It expands on the three principles defined in the initial guidance: Take Ownership of Customer Security Outcomes, Embrace Radical Transparency and Accountability, and Lead From the Top.
This update highlights how software manufacturers can demonstrate these principles to their customers and the public, emphasizing that software manufacturers must be able to compete on the basis of security. This joint guidance is intended to help software manufacturers demonstrate their commitment to secure by design principles and give customers suggestions on how to ask for products that are secure by design.
In the coming weeks, CISA will be releasing a Request for Information on secure by design practices, inviting feedback on this guidance and to understand steps that companies are undertaking in line with secure by design principles.
Joining CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ), who co-sealed the initial version, this updated guidance benefitted from insights and partnerships with cybersecurity agencies in the Czech Republic, Israel, Singapore, Korea, Norway, OAS/CICTE CSIRTAmericas Network, and Japan (JPCERT/CC and NISC).
“I am extremely proud of the expansive, insightful and aligned U.S. and international partnerships that have come together with a shared vision of a future in which technology products are secure by design,” said CISA Director Jen Easterly. “Thanks to the feedback of hundreds of partners, we have revised this guidance to focus even more on how companies can demonstrate their commitment to secure by design principles. To achieve the National Cybersecurity Strategy’s goal of rebalancing the responsibility in cyberspace, customers need to be able to demand more from their vendors – and this joint guidance gives them the tools to do exactly that.”
“We appreciate the cooperation with CISA and other international partners on this joint output. Within the EU, the Cyber Resilience Act seeks to reinforce product security and consumers´ safety, said Lukáš Kintr, Director of the National Cyber and Information Security Agency of the Czech Republic. “In a globally interconnected and technology-driven world, our collective endorsement of Security by Design approach aims to strengthen our resilience and protection of our citizens and critical infrastructure across the continents.”
“'Security by Design' is a change in the paradigm of cybersecurity responsibility between the stakeholders. INCD would like to see the shift of responsibility from the end-user to the manufacturers and service providers. In the modern world, cybersecurity is a basic commodity, like water, energy and environmental protection; hence- it should be secure by design and by default,” said Gaby Portnoy, Director General INCD. “INCD is proud to take part in CISA's publication of this product, which we see as critical step towards a secure and resilient technology for all customers. INCD will encourage manufacturers in the Israeli market is to adopt this guidance.”
“Security by design and default are essential principles to secure the technologies that have permeated our daily lives. Technology manufacturers should be intentional about ensuring that cybersecurity is a key aspect of product development from the start, such that their products are inherently safe and secure for all users,” said David Koh, Commissioner of Cybersecurity and Chief Executive, Cyber Security Agency of Singapore. “Security should not be an “optional extra”. CSA is proud to collaborate with CISA and other partner agencies to develop the guide on Security by Design. CSA strongly encourages its adoption.”
“Cyberattacks resulting from software vulnerabilities are continuously increasing, and given their significant impact, secure management of these vulnerabilities is crucial. In Korea, there are actual cases where specific attack groups held multiple vulnerabilities in widely used solutions, and these vulnerabilities were exploited for attacks,” said Vice President Choi, Kwang Hee of KISA and head of KrCERT/CC. “Reviewing this guide has given us insight into the perspectives of international affiliated agencies. To ensure the secure development of domestic software products, we also plan to release a Korean version."
“Products and services that are Secure by Design make up keystones in our common cyber resilience. This concept improves the quality of our guidance and advisories by incorporating elements such as zero trust and software supply chain risk management”, said Martin Albert-Hoff, Director of The Norwegian National Cyber Security Centre. “The NCSC NO are proud to work together with CISA and the other partner agencies, and this cooperation contributes to strengthen cyber resilience in today’s unpredictable global situation.”
"Successful results in the cybersecurity field can only be achieved in a collaborative manner. We are therefore delighted to contribute to this guide with the experience accumulated in the OAS/CICTE CSIRTAmericas Network, which brings together government Computer Security Incident Response Teams (CSIRTs) from 21 countries of the Americas and promotes the exchange of valuable information among them,” said Alison August Treppel, Executive Secretary at the Inter-American Committee Against Terrorism of the Organization of American States.
“Aligned with the Network's experience, this guide recognizes the need for technology manufacturers, and CSIRTs as well, to shift from a reactive mindset to a model of continuous measurement and improvement of risk mitigation services. This guide serves as a clear example of the work the OAS has been conducting over the last 20 years, and will continue to do, to support member states in strengthening their cybersecurity capabilities, and building a more secure, resilient, and open cyberspace for all."
“The concept of Security by Design was already incorporated in Japan’s Cybersecurity Strategy (hereafter referred to as the Japanese strategy). This updated guidance gives shape of the concept of Security by Design, and comes into alignment with the Japanese strategy,” said Atsuo Suzuki, Director General, Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC). “We are pleased with joint sealing of this updated guidance, which contributes to the implementation of concrete measures based on the Japanese strategy.”
This guidance is intended to further catalyze progress toward investments and cultural shifts necessary for measurable improvements in customer safety; expanded international conversation about key priorities, investments, and decisions; and a future where technology is safe, secure, and resilient by design.
Recognizing that many private sector partners have made invaluable contributions toward advancing secure by design and provided valuable input to this update, the authoring agencies are actively seeking more feedback on this new version of the joint guide. At CISA, feedback can be sent to: [email protected].
For more information on CISA’s efforts to promote secure by design principles, visit our Secure by Design webpage.