CISA Unveils Enhanced “Secure by Design” Principles in Latest Whitepaper Release

In a significant move towards fortifying global cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced the second iteration of its “Secure by Design” whitepaper. The announcement was made by CISA Director Jen Easterly during the Singapore Cyber Week conference. This release follows extensive feedback received since the initial whitepaper launch in April and emphasizes the need for a collaborative industry-wide effort to shift the responsibility for security.

Key Highlights:

  • Global Collaboration: The first version of the whitepaper saw collaboration with ten U.S. and international partners. The new release expands this collaboration, involving an additional eight countries and international organizations. This underscores the industry’s keen interest in fostering dialogue on secure software development.
  • Industry Feedback: The feedback received spanned various sectors, with insights from software manufacturers, customers, non-profits, academics, and government agencies. Notably, the three “Secure by Design” principles emerged as a focal point, reflecting their significance in the document.
  • Secure by Design Summits: CISA conducted summits to delve into challenges facing the software industry. The “Summit Zero” focused on internal education, while subsequent summits targeted specific sectors, such as K-12 education technology and university computer science programs.
  • Pledges for Action: Following the K-12 summit, a pledge was initiated, involving top K-12 software manufacturers committing to secure by design practices. This includes actions like not charging extra for basic security features and publishing a secure by design roadmap.
  • Focus on Three Principles: Responding to feedback, the new version of the whitepaper extensively elaborates on the three “Secure by Design” principles. It provides additional context to clarify the intent behind each principle and introduces the concept of evidence in the form of artifacts to demonstrate commitment to secure software development.
  • Call to Action: CISA encourages software companies to actively engage in the three principles and publicly disclose the artifacts they are implementing. Buyers are urged to demand these artifacts from potential vendors, creating a significant market demand for secure by design engineering.
  • Request for Information (RFI): CISA plans to release an RFI on secure by design engineering in the coming weeks, seeking feedback on areas of improvement in the whitepaper and suggestions for future focus areas.

The continuous collaboration between CISA and industry stakeholders reflects a collective commitment to advancing secure software practices and fostering a resilient cybersecurity landscape. Companies are encouraged to actively participate, sharing best practices and contributing to the ongoing evolution of secure by design principles.