CISA seeks input on secure-by-design software practices, urges manufacturers to reduce cybersecurity burden on customer

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Wednesday a Request for Information from interested parties on secure-by-design software practices, including the agency’s latest document on ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software’ whitepaper. The agency’s move is part of an ongoing global campaign promoting secure-by-design practices. It urges software manufacturers to take immediate action to ensure that their products are secure by design. 

Additionally, the campaign pushes manufacturers to revamp their design and development programs, allowing only secure-by-design products to be shipped to customers.

The RFI, published in the Federal Register, aims to enhance CISA’s Secure by Design campaign. CISA and its partners are actively seeking information on various topics, such as incorporating security early into the software development life cycle (SDLC), the role of education, recurring vulnerabilities, artificial intelligence (AI), operational technology (OT), and addressing the economics of the ‘secure by design’ concept. The information will help CISA and its partners make informed decisions and further strengthen their campaign.

“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” Jen Easterly, CISA director, said in a media statement. “Our goal to drive toward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every customer, which in turn requires us to rigorously seek and incorporate input.” 

She added that the President’s National Cybersecurity Strategy calls for a fundamental shift in responsibility for security from the customer to software manufacturers, and input from this RFI will ‘help us define our path ahead, including updates to our joint seal Secure by Design whitepaper.’

Co-sealed by 18 U.S. and international agencies, CISA’s recent Secure by Design guidance encourages every software manufacturer to build products in a way that reduces the burden of cybersecurity on customers. More recently, CISA launched a new series of Secure by Design Alerts outlining the real-world harms that result from technology products that are not secure by design.  

When it comes to the many tactics for weaving security into the SDLC, the CISA has asked for feedback on which tactics are the most effective and how is that impact measured. Also, what actions in the white paper are respondents taking, and what measured results are they seeing; have respondents publicly documented these actions and their results, and, if so, provide details on where. 

Smaller software manufacturers report that they struggle to implement the tools and practices that larger manufacturers can implement. The CISA RFI asks for examples of smaller software companies that have implemented well-lit paths to reduce product vulnerabilities. They also ask what are some best practices that smaller software companies can adopt; improvements that are needed to allow most small software manufacturers to build and maintain software that is secure by design, and some examples of companies that invest in continuous security education for software developers. Also, the agency seeks data on how much these programs cost, and what are the results. 

On education, the CISA seeks input on examples of what commercial entities signaling their demands to universities for knowledge of security and secure coding in graduates of computer science programs. The agency also looks into examples of higher education incorporating foundational security knowledge into their computer science curricula; how universities incorporate the knowledge and what some results; how current or prospective students for online computer science or coding education programs signal their security demands. They also seek opinions on what actions online programs can take to incentivize companies to develop content with integrated security principles that are hosted on their platforms. 

As developing secure-by-design products is likely to cost the software manufacturer more than if the manufacturer did not emphasize product and customer security, CISA requests additional information about the magnitude and sources of these costs. It seeks input on what types of costs software manufacturers incur as they implement and matures their secure by design programs; how much are these costs, typically; to what extent are they absorbed by manufacturers; and to what extent are they passed along to consumers through price increases. It also looks into which secure-by-design practices are the most effective, and what voluntary guidance should CISA consider issuing to encourage those practices. 

Software vulnerabilities cost software manufacturers and their customers time, effort, and money. CISA seeks additional information about how software manufacturers measure these costs and how manufacturers respond as costs fluctuate. The RFI document seeks input on the impact of vulnerabilities on software manufacturers and the impact of vulnerabilities on customers.

Additionally, software manufacturers generally implement the features customers ask for the most. There is a perception that customers are not asking for security in the products they buy.

In this regard, the RFI seeks input on in what ways customers ask software manufacturers to make products more secure; and how customers ask for specific security features rather than asking for products that are secure by design. The CISA also looks into how customers measure the security of a product; whether they can take that measurement and translate it into long-term costs to decision-makers in a business, and what are the inhibitors to customers creating a strong demand signal that software should be secure by design.

Addressing recurring vulnerabilities, the CISA RFI document seeks input into what are the barriers to eliminating recurring classes of vulnerability; and how can potential customers determine which software manufacturers have been diligent in removing classes of vulnerability rather than patching individual instances of that class of vulnerability. The agency also looks into what changes to the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs might lead to more companies identifying recurring vulnerability types and investing to eliminate them. 

The RFI document also covers threat modeling, a technique used to identify assets and threats and to design, implement, and validate mitigations. It seeks input on what are some examples of threat models that software manufacturers have made public; and what are some best practices for publishing a high-level threat model that will demonstrate to customers that the software manufacturer has adopted a robust threat-modeling program as part of its SDLC. 

Identifying OT systems can differ significantly from information technology (IT) systems, the RFI recognizes that OT systems operate in different environments in which availability is the main priority. Unlike some IT systems that are refreshed or replaced every few years, some OT systems may operate in the field for a decade or more.

The document seeks input on which OT products or companies have implemented some of the core tenants of secure by design engineering; what priority levels customers place on security features and product attributes; what incentives would likely lead customers to increase their demand for security features, even if it costs more; and where could targeted investments be made to raise and scale security levels across OT. 

With its partners, CISA urges technology manufacturers and interested stakeholders to review the RFI and provide written comments on or before Feb. 20, 2024. Instructions for submitting comments are available in the document. The feedback on the agency’s current analysis or approaches will help inform future iterations of the whitepaper and its collaborative work with the global community.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.