The Cybersecurity and Infrastructure Security Agency (CISA) and 17 international partners rolled out the first new batch of updates to its “secure-by-design” guidance document Monday.
The guidance – originally published in April – seeks to help software providers set up and ship their products in ways that prevent them from exposure to adversaries.
The Oct. 16 updates to the secure-by-design document include expanded principles, guidance, and eight new international agency co-sealers, CISA said.
“[T]his joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers,” the agency said.
According to CISA, this updated guidance includes feedback received from hundreds of individuals, companies, and non-profits.
It expands on the three principles: take ownership of customer security outcomes, embrace radical transparency and accountability, and lead from the top. This update highlights how software manufacturers can demonstrate these principles to their customers and the public. This joint guidance equips software manufacturers with the tools to demonstrate their commitment to secure by design, and gives customers the means to evaluate their progress, thus creating a demand signal for secure by design, CISA said.
In addition to the ten U.S. and international partners in the initial publication, the updated guide is published in partnership with Czech Republic, Israel, Singapore, Korea, Norway, CSIRTAmericas Network, and Japan.
“Thanks to the feedback of hundreds of partners, we have revised this guidance to focus even more on how companies can demonstrate their commitment to secure by design principles,” said CISA Director Jen Easterly. “To achieve the National Cybersecurity Strategy’s goal of rebalancing the responsibility in cyberspace, customers need to be able to demand more from their vendors – and this joint guidance gives them the tools to do exactly that.”
CISA said this guidance is intended to further catalyze progress toward investments and cultural shifts necessary for measurable improvements in customer safety; expanded international conversation about key priorities, investments, and decisions; and a future where technology is safe, secure, and resilient by design.
In the coming weeks, CISA will be releasing a request for information on secure by design practices, inviting feedback on this guidance and to understand steps that companies are undertaking in line with secure by design principles.
