The Cybersecurity and Infrastructure Security Agency (CISA) published its secure-by-design and secure-by-default guidelines today, which aim to outline clear steps that technology providers can take to increase the safety of products used around the world.
“Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default” was written by CISA in collaboration the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and six of the agency’s international partners.
This joint guidance – billed as the first of its kind –urges software manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default. According to CISA, the document is intended to catalyze progress toward further investments and cultural shifts necessary to achieve a safe and secure future.
CISA Director Jen Easterly teased the release of the document earlier this week, saying that “we need to expect that software manufacturers are going to be driving down vulnerabilities before it gets to the consumer so you’re not putting all the burden on users and small businesses.”
She continued, adding, “We worked [on guidance] with our government partners and several of our international partners – and it’s not the Holy Grail – but it is really important data to start a robust conversation about the importance of shifting the burden to software companies from individual users and small businesses.”
In addition to specific technical recommendations, the 15-page guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products, including:
- Taking ownership of the security outcomes of their technology products, and shifting the burden of security from the customers;
- Embracing radical transparency and accountability; and
- Building organizational structure that fosters executive level commitment for software manufacturers to prioritize security.
“Insecure technology products can pose risks to individual users and our national security,” said NSA Cybersecurity Director Rob Joyce. “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see.”
“The FBI is committed to identifying ways to better protect our citizens from the agility and versatility of cyber crime, and today’s announcement is a direct example of this,” said Bryan Vorndran, assistant director of the FBI’s Cyber Division. “Working with our federal and international partners on this cyber security guide provides us with the opportunity to pave the way forward to ensure safety and security in a digitally connected world.”