The Cybersecurity and Infrastructure Security Agency (CISA) is preparing to release a Buyer’s Guide, which CISA Director Jen Easterly on Wednesday said she’s particularly excited about because it will help to shift consumers’ mindset from secure by design to secure by demand.
CISA’s Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force is currently working to develop the Buyer’s Guide – which will help ensure buyers, suppliers, and acquisition specialists adhere to one piece of guidance when evaluating the security of their software.
The ICT SCRM Task Force’s Software Assurance Working Group will oversee the guide’s development. CISA announced a two-year renewal of the task force in February so that it could continue working on the Buyer’s Guide.
“The objective is fairly straightforward: government organizations will be able to utilize the Buyer’s Guide to confirm their software is reliable and secure, which will enhance the resilience of Federal IT systems,” Easterly said on Wednesday at the first annual ICT SCRM Task Force Conference in McLean, Va.
“We talk a lot about how we can actually drive change in the ecosystem. We are not a regulator, as all of you know, but at the end of the day, the procurement and acquisition power that we have as a Federal government is a huge lever that we can use,” she added. “So, things like the Buyer’s Guide are incredibly important in terms of shaping and driving real change in the technology and supply chain ecosystem.”
CISA recently celebrated the one-year anniversary of its Secure by Design initiative, and the agency is looking to elevate the effort in public conversation and have customers make more demands of software vendors.
The Secure by Design principles aim to keep Americans safe in today’s technology ecosystem by putting more cybersecurity responsibilities on technology manufacturers instead of on technology users.
However, Easterly said CISA is focused on a new goal this year, which is a “secure by demand” approach to ensure customers “push their vendors to do better.”
“The key thing that we’re focused on now in 2024 is exactly that and, frankly, why I’m excited about the Buyer’s Guide,” Easterly said. “We have to shift secure by design to secure by demand and make sure that every consumer understands what they should be looking for and on asking that of the technology manufacturers, we really have to continue to drive this in place.”
“At the end of the day … consumers have a choice,” she added. “It needs to be clear that ultimately, they need to purchase devices that will keep them safe and secure. And so, I love what [the ICT SCRM Task Force is] doing … and I will continue to do my best to keep evangelizing both security by design and security by demand.”