The Cybersecurity and Infrastructure Security Agency (CISA) has announced a Request for Information (RFI) aimed at soliciting insights from various stakeholders on secure by design software practices. This initiative is part of CISA’s broader secure by design campaign, with the objective of fostering collaboration globally. The RFI specifically references the “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” whitepaper and invites input from interested parties.
CISA seeks information on several key aspects, including integrating security early into the software development life cycle (SDLC), the incorporation of security education in higher education curricula, addressing recurring vulnerabilities, considerations for operational technology (OT), and the economics of implementing secure by design principles. The agency is interested in understanding the necessary changes for software manufacturers, especially smaller ones, to build and maintain secure software.
Additionally, CISA is exploring the role of education in promoting foundational security knowledge, evaluating security skills during hiring, and addressing recurring vulnerabilities through programs like CVE and CWE. CISA Director Jen Easterly emphasizes the importance of incorporating a wide range of perspectives to drive the secure by design campaign forward. The RFI responses will contribute to defining the path ahead, aligning with the President’s National Cybersecurity Strategy’s call for a shift in responsibility for security from customers to software manufacturers.
The guidance, jointly sealed by 18 U.S. and international agencies, encourages software manufacturers to build products that reduce the cybersecurity burden on customers. CISA also recently launched Secure by Design Alerts highlighting real-world harms resulting from technology products lacking secure design. CISA, along with its partners, invites technology manufacturers and stakeholders to review the RFI and provide written comments by February 20, 2024. The feedback received will inform future iterations of the whitepaper and collaborative efforts with the global community.
This proactive approach aligns with CISA’s role as the nation’s cyber defense agency and national coordinator for critical infrastructure security, leading efforts to understand, manage, and reduce risks to both digital and physical infrastructure essential to Americans. Interested parties can direct questions about the RFI to SecureByDesign@cisa.dhs.gov, and further information about the Secure by Design initiative is available on the CISA webpage.
