The Cybersecurity and Infrastructure Security Agency is looking for feedback on its “secure by design” white paper, which pushes software manufacturers to follow more stringent security principles in the design and development of all products shipped to customers.
CISA initially published its white paper — “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” — in April but released updated joint guidance with 17 domestic and foreign partners in October following feedback from hundreds of individuals, companies and nonprofits.
With the Wednesday request for information published in the Federal Register, CISA said it “acknowledges that security by design is not easy” and additional comments on the guidance are needed.
“This white paper is part of a broader campaign across CISA and the federal government to encourage technology manufacturers to prioritize security in their development processes,” the RFI stated. “For future iterations of guidance, CISA also seeks additional information on the economics of secure development, particularly as compared with the cost of incident response. Additionally, for use in future guidance, CISA seeks information from the public describing how security could be more fully integrated into computer science and software development courses of study.”
CISA noted in the RFI that smaller manufacturers will face challenges in fully adopting the recommendations, but because more companies will now be forced to center more of their attention on secure software development, “there is room for innovations” that will ideally “narrow the gap” between the industry’s haves and have nots.
“Furthermore, engineering teams will be able to establish a new, steady-state rhythm in which security is built into the design and takes less effort to maintain,” the RFI said.
Among the many prompts CISA included in the RFI were callouts for feedback on how to better incorporate security into the secure software development lifecycle, how secure-by-design principles can be integrated into computer science education, and general comments regarding the economics of implementing secure-by-design practices and the costliness of software vulnerabilities.
The deadline for comment submissions to CISA’s RFI is Feb. 20, 2024.