CISA lays out how to practice secure-by-design

• While the guidelines are voluntary, CISA's effort is seen as a precursory step in the Biden administration's push to make software manufacturers liable for the security vulnerabilities in their products.

Catch up quick: CISA released an initial set of secure-by-design principles in April that encouraged software manufacturers to rethink how they design their products to cut down the number of possible security vulnerabilities.

• The guidelines included steps like making sure their products allow for multifactor authentication and requiring users to create a strong password whenever they're first setting up a device.
• Since the release, the agency has been on a listening tour, taking feedback from hundreds of individuals, companies and nonprofits about what does, and doesn't, work in the principles.

Details: The updated guidance urges transparency, accountability, taking ownership for security outcomes, and building a corporate structure around implementing secure-by-design principles.

• The guidance now also details how manufacturers can best measure the effectiveness of these new security measures.

• CISA jointly released the updated guidelines with 13 other governments, including offices in the U.K., Canada, Israel, Japan and Singapore.

The intrigue: CISA and its co-authors note in the update that these principles also apply to manufacturers of artificial intelligence software systems and models.

• "While they might differ from traditional forms of software, fundamental security practices still apply to AI systems and models," the report says.
• Some of the secure design recommendations might need to be modified for AI, per the report.

What's next: CISA will start accepting comments in the coming weeks, according to a press release.

Sign up for Axios' cybersecurity newsletter Codebook here.