CISA seeking comments on its ‘secure by design’ guidance

The agency’s request for information on its software security white paper “acknowledges that security by design is not easy,” and that additional comments from manufacturers and other interested parties are needed.
CISA Director Jen Easterly speaks at the CrowdStrike Government Summit on April 11, 2023. (Scoop News Group photo)
CISA Director Jen Easterly speaks at the CrowdStrike Government Summit on April 11, 2023. (Scoop News Group photo)

The Cybersecurity and Infrastructure Security Agency is looking for feedback on its “secure by design” white paper, which pushes software manufacturers to follow more stringent security principles in the design and development of all products shipped to customers. 

CISA initially published its white paper — “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” — in April but released updated joint guidance with 17 domestic and foreign partners in October following feedback from hundreds of individuals, companies and nonprofits.

With the Wednesday request for information published in the Federal Register, CISA said it “acknowledges that security by design is not easy” and additional comments on the guidance are needed.

“This white paper is part of a broader campaign across CISA and the federal government to encourage technology manufacturers to prioritize security in their development processes,” the RFI stated. “For future iterations of guidance, CISA also seeks additional information on the economics of secure development, particularly as compared with the cost of incident response. Additionally, for use in future guidance, CISA seeks information from the public describing how security could be more fully integrated into computer science and software development courses of study.”


CISA noted in the RFI that smaller manufacturers will face challenges in fully adopting the recommendations, but because more companies will now be forced to center more of their attention on secure software development, “there is room for innovations” that will ideally “narrow the gap” between the industry’s haves and have nots.

“Furthermore, engineering teams will be able to establish a new, steady-state rhythm in which security is built into the design and takes less effort to maintain,” the RFI said.

Among the many prompts CISA included in the RFI were callouts for feedback on how to better incorporate security into the secure software development lifecycle, how secure-by-design principles can be integrated into computer science education, and general comments regarding the economics of implementing secure-by-design practices and the costliness of software vulnerabilities. 

The deadline for comment submissions to CISA’s RFI is Feb. 20, 2024.

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at

Latest Podcasts