Oct 17, 2023 - Technology

CISA lays out how to practice secure-by-design

Illustration of a laptop with many different locks on it

Illustration: Natalie Peeples/Axios

The nation's cyber defense agency unveiled a highly anticipated update to its secure-by-design principles that provides more clarity on how to actually implement them.

Why it matters: The Cybersecurity and Infrastructure Security Agency has spent most of the year pushing a new set of secure-by-design principles to get software manufacturers to build better cybersecurity into their products.

  • While the guidelines are voluntary, CISA's effort is seen as a precursory step in the Biden administration's push to make software manufacturers liable for the security vulnerabilities in their products.

Catch up quick: CISA released an initial set of secure-by-design principles in April that encouraged software manufacturers to rethink how they design their products to cut down the number of possible security vulnerabilities.

  • The guidelines included steps like making sure their products allow for multifactor authentication and requiring users to create a strong password whenever they're first setting up a device.
  • Since the release, the agency has been on a listening tour, taking feedback from hundreds of individuals, companies and nonprofits about what does, and doesn't, work in the principles.

Details: The updated guidance urges transparency, accountability, taking ownership for security outcomes, and building a corporate structure around implementing secure-by-design principles.

  • The guidance now also details how manufacturers can best measure the effectiveness of these new security measures.
  • CISA jointly released the updated guidelines with 13 other governments, including offices in the U.K., Canada, Israel, Japan and Singapore.

The intrigue: CISA and its co-authors note in the update that these principles also apply to manufacturers of artificial intelligence software systems and models.

  • "While they might differ from traditional forms of software, fundamental security practices still apply to AI systems and models," the report says.
  • Some of the secure design recommendations might need to be modified for AI, per the report.

What's next: CISA will start accepting comments in the coming weeks, according to a press release.

Sign up for Axios' cybersecurity newsletter Codebook here.

Go deeper