The Cybersecurity and Infrastructure Security Agency (CISA), along with 17 U.S. and international partners, published an update to “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” that includes further detail on key principles, guidance, and is co-sealed by eight additional international cybersecurity agencies.
Initially published in April 2023, the joint guidance urges software manufacturers to take the steps necessary to design, develop, and deliver products that are secure by design.
This updated guidance includes feedback received from hundreds of individuals, companies, and non-profits. It expands on the three principles defined in the initial guidance: Take Ownership of Customer Security Outcomes, Embrace Radical Transparency and Accountability, and Lead From the Top. This update highlights how software manufacturers can demonstrate these principles to their customers and the public, emphasizing that software manufacturers must be able to compete on the basis of security. This joint guidance is intended to help software manufacturers demonstrate their commitment to secure by design principles and give customers suggestions on how to ask for products that are secure by design.
CISA will be releasing a Request for Information on secure by design practices, inviting feedback on this guidance and to understand steps that companies are undertaking in line with secure by design principles.
This guidance is intended to further catalyze progress toward investments and cultural shifts necessary for measurable improvements in customer safety; expanded international conversation about key priorities, investments, and decisions; and a future where technology is safe, secure, and resilient by design.
Recognizing that many private sector partners have made invaluable contributions toward advancing secure by design and provided valuable input to this update, the authoring agencies are actively seeking more feedback on this new version of the joint guide. At CISA, feedback can be sent to: [email protected]