CISA’s next version of secure-by-design guidance expected in ‘coming weeks’

The next iteration of Cybersecurity and Infrastructure Security Agency’s secure-by-design principles will arrive in ‘coming weeks,’ Executive Assistant Director for Cybersecurity Eric Goldstein said.
CISA, DHS, Department of Homeland Security, RSA 2019
(Scoop News Group photo)

Software manufacturers could see the next iteration of guidance on embedding cybersecurity into their design processes for technology products in the near future, according to a Cybersecurity and Infrastructure Security Agency (CISA) official.

“At CISA, we are really excited to be releasing the next version of our secure-by-design guidance in the coming weeks,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said at an event hosted by the Washington Post on Tuesday.

He added: “We have a vast array of countries who are aligned with us on this effort, and we’ll also be putting that out for some public comment to make sure that we are getting the best sense of the global community in that guidance.”

Goldstein didn’t elaborate on what the next version of that guidance would include. A CISA spokesperson declined to comment beyond Goldstein’s remarks.


The initial April guidance spelled out key principles for shifting responsibility for cybersecurity to manufacturers by building software security into their processes before product development and distribution. CISA has touted that guidance as a major first-of-its-kind joint effort between U.S. agencies and cyber authorities in several other countries and reportedly brought on well-known hacker Peiter “Mudge” Zatko to join the effort.

“This is perhaps the most fundamental shift in cybersecurity of this administration because the core point is we’ve been asking the wrong questions around cybersecurity,” Goldstein said at the Tuesday event.

Instead of asking what victim organizations could have done differently after a cyber breach, the question should be whether the technology products it relies on were “designed in a way that was reasonably likely to reduce the prevalence of the intrusion that impacted that victim,” he said. 

Contrary to the way other industries operate, Goldstein said, “with technology products, we just accept this culture of ‘go into production with a high likelihood of exploitable flaws.’ That needs to change.”

The guidance from CISA has received some criticism for its high expectations for industry. Staff for the Atlantic Council’s Cyber Statecraft Initiative, in a July piece for TechCrunch, pointed to potential danger with rhetoric that suggests “cybersecurity problems and challenges exist only because technology vendors cut corners or that all cybersecurity risk can be avoided by following a simple set of straightforward practices.”


CISA Director Jen Easterly said earlier this year that the federal government, through its vast purchasing power, can play a large role in incentivizing and driving private companies to employ secure-by-design software principles just by choosing to do business with the ones that do. She acknowledged that CISA was looking at the Federal Acquisition Regulation to potentially create rules that could require or incentivize federal agencies to buy from vendors that have software that’s secure by design.

Madison Alder

Written by Madison Alder

Madison Alder is a reporter for FedScoop in Washington, D.C., covering government technology. Her reporting has included tracking government uses of artificial intelligence and monitoring changes in federal contracting. She’s broadly interested in issues involving health, law, and data. Before joining FedScoop, Madison was a reporter at Bloomberg Law where she covered several beats, including the federal judiciary, health policy, and employee benefits. A west-coaster at heart, Madison is originally from Seattle and is a graduate of the Walter Cronkite School of Journalism and Mass Communication at Arizona State University.

Latest Podcasts