[CDP-development] CISA Publishes Joint Guide on Principles and Approaches for Security-by-Design and -Default

[Masse, Theresa]

FYSA



Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI<https://fbi.gov/>), the National Security Agency (NSA<https://nsa.gov/>), and the cybersecurity authorities of Australia<https://www.cyber.gov.au/>, Canada<https://www.cyber.gc.ca/en/>, United Kingdom<https://www.ncsc.gov.uk/>, Germany<https://bsi.bund.de/>, Netherlands<https://english.ncsc.nl/>, and New Zealand (CERT NZ<https://www.cert.govt.nz/>, NCSC-NZ<https://www.ncsc.govt.nz/>) published Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default>. This joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default.



This guidance, the first of its kind, is intended to catalyze progress toward further investments and cultural shifts necessary to achieve a safe and secure future. In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products, including:



  *   Take ownership of the security outcomes of their technology products, shifting the burden of security from the customers. A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.
  *   Embrace radical transparency and accountability-for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate.
  *   Build the right organizational structure by providing executive level commitment for software manufacturers to prioritize security as a critical element of product development.



Many private sector partners have made invaluable contributions toward advancing security-by-design and security-by-default. With this joint guide, the authoring agencies seek to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default. Feedback on this guide is welcome and can be sent to: SecureByDesign at cisa.dhs.gov<mailto:SecureByDesign at cisa.dhs.gov>.



For more information on CISA's efforts to promote secure-by-design and -default principles, visit our webpage<https://www.cisa.gov/securebydesign>.



Theresa A. Masse
Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image001.png at 01D96DD7.8AEDB250]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230413/dbe0bade/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 16152 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230413/dbe0bade/attachment-0001.png>