<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xxxmsonormal, li.xxxmsonormal, div.xxxmsonormal
{mso-style-name:x_x_x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xxxparagraph, li.xxxparagraph, div.xxxparagraph
{mso-style-name:x_x_x_paragraph;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.xxxnormaltextrun
{mso-style-name:x_x_x_normaltextrun;}
span.contentpasted0
{mso-style-name:contentpasted0;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:308831270;
mso-list-template-ids:-1105795814;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1004550045;
mso-list-template-ids:2032153418;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">FYSA<o:p></o:p></p>
<div>
<div>
<div>
<p class="xxxmsonormal" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="xxxmsonormal" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (</span></span><span style="font-size:12.0pt;color:black"><a href="https://fbi.gov/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">FBI</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">),
the National Security Agency (</span></span><span style="font-size:12.0pt;color:black"><a href="https://nsa.gov/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">NSA</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">),
and the cybersecurity authorities of </span></span><span style="font-size:12.0pt;color:black"><a href="https://www.cyber.gov.au/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">Australia</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">, </span></span><span style="font-size:12.0pt;color:black"><a href="https://www.cyber.gc.ca/en/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">Canada</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">, </span></span><span style="font-size:12.0pt;color:black"><a href="https://www.ncsc.gov.uk/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">United
Kingdom</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">, </span></span><span style="font-size:12.0pt;color:black"><a href="https://bsi.bund.de/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">Germany</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">, </span></span><span style="font-size:12.0pt;color:black"><a href="https://english.ncsc.nl/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">Netherlands</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">,
and New Zealand (</span></span><span style="font-size:12.0pt;color:black"><a href="https://www.cert.govt.nz/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">CERT NZ</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">, </span></span><span style="font-size:12.0pt;color:black"><a href="https://www.ncsc.govt.nz/"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">NCSC-NZ</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">) published </span></span><span style="font-size:12.0pt;color:black"><a href="https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">Shifting
the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default</span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">. This joint guidance urges software manufacturers
to take urgent steps necessary to ship products that are secure-by-design and -default. </span></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="xxxmsonormal" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="xxxparagraph" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">This guidance, the first of its kind, is intended to catalyze progress toward further investments and cultural
shifts necessary to achieve a safe and secure future. In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing,
configuring, and shipping their products, including: </span></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"><o:p></o:p></span></p>
<p class="xxxparagraph" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif">Take ownership of the security outcomes of their technology products, shifting the burden of security from the customers. A secure configuration should be the default baseline,
in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors. </span></span><span style="font-size:13.5pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif">Embrace radical transparency and accountability—for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete
and accurate. </span></span><span style="font-size:13.5pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif">Build the right organizational structure by providing executive level commitment for software manufacturers to prioritize security as a critical element of product development. </span></span><span style="font-size:13.5pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li></ul>
<p class="xxxmsonormal" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span></span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="xxxparagraph" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">Many private sector partners have made invaluable contributions toward advancing security-by-design and security-by-default. With
this joint guide, the authoring agencies seek to progress an international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default. Feedback on this guide
is welcome and can be sent to: </span></span><span class="xxxnormaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif;color:#0563C1"><a href="mailto:SecureByDesign@cisa.dhs.gov" title="mailto:SecureByDesign@cisa.dhs.gov">SecureByDesign@cisa.dhs.gov</a></span></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">. </span></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"><o:p></o:p></span></p>
<p class="xxxparagraph" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"><o:p></o:p></span></p>
<p class="xxxparagraph" style="background:white"><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">For more information on CISA’s efforts to promote secure-by-design and -default principles, visit our </span></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"><a href="https://www.cisa.gov/securebydesign"><span class="xxxnormaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif;color:#0563C1">webpage</span></span></a></span><span class="contentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">.</span></span><span class="xxxnormaltextrun"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> </span><o:p></o:p></span></p>
<p class="xxxparagraph" style="background:white"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt;color:#0563C1">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_1" src="cid:image001.png@01D96DD7.8AEDB250"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
</body>
</html>