As the Cybersecurity and Infrastructure Security Agency (CISA) celebrates the one-year anniversary of its Secure by Design initiative, the agency is looking to elevate the effort in public conversation and have customers make more demands of software vendors.
The Secure by Design principles aim to keep Americans safe in today’s technology ecosystem by putting more cybersecurity responsibilities on technology manufacturers instead of on technology users.
However, CISA Senior Technical Advisor Jack Cable said the agency wants to “make sure it’s not just CISA being the only voice in the room.”
“If customers can better make these demands [and] asks of their vendors for specific security considerations built in from the start, we think we can see dramatic improvements,” Cable said on April 25 during a virtual event hosted by the Atlantic Council.
CISA and the Office of Management and Budget (OMB) published a secure software development attestation form last month, which Cable said is “a key step” towards ensuring Federal contractors provide secure products to the Federal government.
The form looks to advance a key aspect of President Biden’s 2021 cybersecurity executive order on creating a more secure software supply chain.
“But we also want to see how we can spread this broader,” Cable said. “We’ve recently joined an initiative called the Minimum Viable Secure Product Working Group, which lays out a simple checklist that companies can use to evaluate the right questions of their vendors.”
“So, we’re going to keep pushing to see what we can do at the Federal government. But we also want to empower businesses and other organizations of all sizes who are buying software to be able to ask the right questions and make good decisions about the security of the software they’re using,” he added.
CISA Director Jen Easterly explained that the agency has outlined seven initiatives to continue to support the Secure by Design revolution as it heads into its second year.
Easterly said these include continuing to educate the public and industry on Secure by Design, continuing to drive adoption and get commitments from tech manufacturers, continuing to develop and issue technical guidance, and driving awareness in “a secure by demand approach to ensure customers can push their vendors to do better.”
Additionally, CISA will focus on understanding the costs and other economic forces that impact software security and insecurity, working with academic communities to incorporate security into computer science programs and self-taught programming pathways, and continuing working with the open source community to drive a secure by design approach to open source development.
“I’m really proud of the progress that we’ve made over the past year,” Easterly said. “In a short period of time, we’ve created momentum around Secure by Design that has thrust it into the national conversation and tech and policy circles and really is the clearest answer for addressing some of the most pressing cybersecurity challenges facing the country.”
“Secure by Design is our best hope for a more resilient future,” she added. “I look forward to seeing measurable results from technology manufacturers over the coming months and years as they continue to put our Secure by Design principles in action.”
