CISA lays out how to practice secure-by-design
The nation's cyber defense agency unveiled a highly anticipated update to its secure-by-design principles that provides more clarity on how to actually implement them.
Why it matters: The Cybersecurity and Infrastructure Security Agency has spent most of the year pushing a new set of secure-by-design principles to get software manufacturers to build better cybersecurity into their products.
- While the guidelines are voluntary, CISA's effort is seen as a precursory step in the Biden administration's push to make software manufacturers liable for the security vulnerabilities in their products.
Catch up quick: CISA released an initial set of secure-by-design principles in April that encouraged software manufacturers to rethink how they design their products to cut down the number of possible security vulnerabilities.
- The guidelines included steps like making sure their products allow for multifactor authentication and requiring users to create a strong password whenever they're first setting up a device.
- Since the release, the agency has been on a listening tour, taking feedback from hundreds of individuals, companies and nonprofits about what does, and doesn't, work in the principles.
Details: The updated guidance urges transparency, accountability, taking ownership for security outcomes, and building a corporate structure around implementing secure-by-design principles.
- The guidance now also details how manufacturers can best measure the effectiveness of these new security measures.
- CISA jointly released the updated guidelines with 13 other governments, including offices in the U.K., Canada, Israel, Japan and Singapore.
The intrigue: CISA and its co-authors note in the update that these principles also apply to manufacturers of artificial intelligence software systems and models.
- "While they might differ from traditional forms of software, fundamental security practices still apply to AI systems and models," the report says.
- Some of the secure design recommendations might need to be modified for AI, per the report.
What's next: CISA will start accepting comments in the coming weeks, according to a press release.
Sign up for Axios' cybersecurity newsletter Codebook here.