The Cybersecurity and Infrastructure Security Agency (CISA) issued a formal request for information (RFI) in the Federal Register today looking for feedback on its secure-by-design software practices.
Specifically, CISA is looking for feedback on the updated version of its white paper, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software,” which it published in October. The guidance was originally published in April, but the updated document includes feedback from hundreds of individuals, companies, and nonprofits.
“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” CISA Director Jen Easterly said of today’s RFI.
To better inform CISA’s secure-by-design guidelines, the agency is looking for general comments on the white paper as well as insight into specific topics.
CISA is encouraging technology manufacturers and all interested stakeholders to review the RFI and submit comments by Feb. 20, 2024.
The agency said the feedback will help to inform future iterations of the white paper, as well as CISA’s collaborative work with the entire security community.
For example, the agency wants input on incorporating security early into the software development life cycle (SDLC), and specifically, which tactics are the most effective to weave security into the SDLC. The agency also wants to hear more about best practices that smaller software companies can adopt.
Additionally, CISA is looking for insights into education, as security is often relegated to be an elective in education. For instance, CISA wants to know examples of higher education incorporating security knowledge into their computer science curricula.
CISA also wants information on recurring vulnerabilities, as well as operational technology (OT). For instance, where could targeted investments be made to raise and scale security levels across OT?
Notably, CISA also points out that “AI is software and therefore should adhere to the three secure by design principles.” The agency wants input on what additional security considerations are necessary for the development of secure AI.
Finally, CISA wants feedback on the economics of secure-by-design practices, and how these costs compare to the costs of responding to incidents and breaches.
“Just as cars with crumple zones and air bags may cost their manufacturers more to build than cars without such safety mechanisms, developing secure by design products is likely to cost the software manufacturer more than if the manufacturer did not emphasize product and customer security,” the RFI says. “CISA requests additional information about the magnitude and sources of these costs.”
