Last week, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers that was jointly developed by the Federal Bureau of Investigation and the National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand. While similar principles have been published in the past, such as those released by the U.S. Federal Trade Commission, this guidance builds on the White House’s recent roll-out of the U.S. National Cybersecurity Strategy and is in line with efforts to encourage a consistent, international approach to software security that emphasizes the responsibilities of software manufacturers across various jurisdictions. While the guidance primarily focuses on recommendations for technology manufacturers, it also includes recommendations for enterprise customers to “hold their supplying technology manufacturers accountable for the security outcomes of their products.” CISA and the authoring agencies are seeking feedback on the guidance, and indicated plans to hold future listening sessions to collect feedback.
CISA and the authoring agencies emphasize that Secure-by-Design and Secure-by-Default principles will enhance cybersecurity by shifting responsibility to software manufacturers. The preamble encourages technology manufacturers to “take ownership of improving security outcomes for customers” by “revamp[ing] . . . design and development programs to permit only Secure-by-Design and –Default products to be shipped to customers.” According to the authoring agencies, such a future state would “prevent customers from having to constantly perform monitoring, routine updates, and damage control on their systems to mitigate cyber intrusions.” Instead, the guidance aims to have manufacturers assume much of this burden in order to reduce the risk of security incidents through common issues such as customers’ misconfigurations or “insufficiently fast patching.” The guidance also notes that the EU’s Cyber Resilience Act reflects this perspective, emphasizing that manufacturers should “implement security throughout a product‘s life-cycle in order to prevent manufacturers from introducing vulnerable products into the market.”
The guidance establishes three “core principles” to guide software manufacturers in building software security into their design processes:
- the burden of security should not fall solely on the customer,
- manufacturers should embrace “radical” transparency and accountability, and
- manufacturers should build organizational structure and leadership to achieve these goals, including executive-level commitment to implement changes.
To implement these three principles, the guidance suggests that manufacturers should “consider several operational tactics to evolve their development processes,” including:
- Convening routine meetings with company executive leadership focused on Security-by-Design and Security-by-Default principles, and establishing policies and procedures that reward production teams that adhere to these principles;
- Operating around the importance of software security to business success by assigning a “software security leader” or “software security team” and having “robust, independent product security assessment and evaluation programs;” and
- Using tailored threat models during development “to prioritize the most critical and high-impact products.”
In addition to these strategic steps, the authoring agencies also provide specific guidance on implementing Secure-by-Design and Secure-by-Default principles.
Secure-by-Design Principles and Guidance
The guidance describes Secure-by-Design products as those that “are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.” The guidance highlights a number of recommendations for software manufacturers to consider in building Secure-by-Design products, including performing risk assessments to “identify and enumerate prevalent cyber threats to critical systems,” using defense-in-depth and “tailored threat models” during product development to address potential threats, “include[ing] protections in product blueprints that account for the evolving cyber threat landscape,” and developing written roadmaps to align existing product portfolios with secure-by-design practices.
The guidance also notes that “the Secure Software Development Framework, also known as the National Institute of Standards and Technology’s SP 800-218, is a core set of high-level secure software development practices that can be integrated into each stage of the software development lifecycle.” The authoring agencies encourage the development of a written “roadmap” to adopt Secure-by-Design software development practices, including the use of peer code review and security testing, as well as establishing vulnerability disclosure programs. Notably, CISA’s guidance also cites the use of CISA’s Cybersecurity Performance Goals (“CPGs”) as a key baseline for delivering Secure-by-Design products, stating that a manufacturer that “fails to meet the CPGs . . . cannot be seen as delivering Secure-by-Design products.”
Secure-by-Default Principles and Guidance
The guidance describes Secure-by-Default products as those that “are resilient against prevalent exploitation techniques out of the box without additional charge … [and] without end-users having to take additional steps to secure them.” The authoring agencies describe several examples of tactical steps that can be taken by manufacturers to prioritize Secure-by-Default configurations in their products, including: eliminating default passwords, implementing single sign-on via modern open standards, providing high-quality audit logs without an additional charge, and considering the user experience consequences of security settings, among others. The guidance also recommends that rather than developing hardening guides that list methods for securing products, software manufacturers should integrate hardening guide recommendations into default configurations and shift to provide “loosening guides” that explain which changes users can make and “the resulting security risks” of doing so.
Recommendations for Customers
While most of the guidance is aimed at manufacturers, the guidance also includes recommendations for enterprise customers to “hold their supplying technology manufacturers accountable for the security outcomes of their products.” These recommendations include prioritizing the importance of purchasing Secure-by-Design and Secure-by-Default products from an executive level, such as by empowering IT or security departments to develop purchasing criteria that prioritize these practices, requiring pre-purchase security assessments of third-party software, and “empowering the IT or security department to push back” on security issues “if necessary.” Notably, the guidance specifically recommends that organizational decisions “to accept the risks associated with specific technology products should be formally documented, approved by a senior business executive, and regularly presented to the Board of Directors” (emphasis added).
The guidance also recommends that organizations view “[k]ey enterprise IT services that support an organization’s security posture” as “critical business functions” that are funded appropriately, and partner with industry peers and manufacturers to reinforce Secure-by-Design and Secure-by-Default practices. Cloud customers should also ensure they understand their cloud provider’s shared responsibility model, including the provider’s security responsibilities.
The authoring agencies note that the guidance is intended to progress a conversation about priorities, investments, and decisions “necessary to achieve a future where technology is safe, secure, and resilient by design and default.” CISA and other agencies are seeking feedback on the guidance from interested parties, and state that they intend to convene a series of future listening sessions to further refine this guidance.