CISA and 17 US and international partners publish updated principles for secure by design

The guidance urges software manufacturers to prioritize inherent security in their products and provides comprehensive principles and tools to help them do so.


CISA, in collaboration with 17 US and international partners, has released an extensive update to the Secure by Design initiative, titled ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.’ This new release features expanded principles and comprehensive guidance, and welcomes eight additional international agency co-sealers.

Initially introduced in April 2023, this collaborative effort urges software manufacturers to urgently adopt measures that guarantee products are inherently secure by design. It emphasises the need for manufacturers to overhaul their design and development processes, permitting only inherently secure products to reach consumers.

This update incorporates feedback from numerous individuals, companies, and non-profit organisations. It elaborates on three fundamental principles: Taking Ownership of Customer Security Outcomes, Embracing Radical Transparency and Accountability, and Leading From the Top. The updated guidelines also provide insights into how software manufacturers can effectively demonstrate their commitment to these principles to their customers and the general public. It underscores the essential need for software manufacturers to compete based on the robustness of their security measures. In doing so, these guidelines aim to equip manufacturers with the tools necessary to demonstrate their dedication to security by design, enabling customers to assess their progress thereby fostering a demand for inherently secure products.

In addition to the original ten US and international partners, the updated guide now includes new partnerships with the Czech Republic, Israel, Singapore, South Korea, Norway, OAS/CICTE CSIRTAmericas Network, and Japan (JPCERT/CC and NISC).