CISA plans new 'secure-by-design' guidance

CISA Director Jen Easterly speaks at the Billington Cybersecurity conference in Washington, D.C.

CISA Director Jen Easterly speaks at the Billington Cybersecurity conference in Washington, D.C. Photo courtesy: Billington Cybersecurity

The nation’s cyber defense agency is continuing to drive a major effort to shift security responsibilities from users to software providers.

The Cybersecurity and Infrastructure Security Agency is set to release new guidance aimed at bolstering national cybersecurity — including updated best practices for software providers to build secure-by-design products — and a public service awareness campaign to promote cyber preparedness across the country. 

CISA Director Jen Easterly said the nation’s cyber defense agency will be launching a public service awareness campaign later this month to help foster a cybersecurity-conscious culture and amplify best practices that everyday technology users and ordinary citizens can employ to safeguard their digital assets. “We hope to really get the nation energized about how we can keep ourselves safe,” Easterly said on Wednesday at the Billington Cybersecurity Summit in Washington, D.C. She added that the awareness campaign will include “simple steps” and actionable measures that users can take to better protect themselves from digital intrusions and emerging cyber threats. 

The agency is also expected to release an updated white paper as early as next month that builds off of its initial report on shifting the balance of cybersecurity risks from end users to software providers, Easterly said. The first version of the white paper, published in April, featured software product security principles and approaches to help technology providers build products that are resilient against exploitation techniques and protect users against prevalent and emerging vulnerabilities. 

“It’s all about changing the incentives so that technology companies are bearing the burden, not the user,” Easterly said. 

The new guidance is being developed with feedback and input from industry stakeholders and international partners, the CISA director added, and will include measures that technology providers can show “to be a signal to consumers that they are in fact providing secure-by-design technology.” 

The new guidance comes as the White House continues a major effort to shift security responsibilities onto software providers. The administration published an implementation plan for the National Cybersecurity Strategy released earlier this year that advocates for secure-by-design principles, and tasked federal agencies with prioritizing investments in technologies that employ such principles in their 2025 budget requests. 

CISA also launched a K-12 education technology secure-by-design pledge earlier this week that seeks commitments from education technology vendors to develop products with advanced, built-in security measures. The initiative was announced on Tuesday with support from six leading education technology providers, including PowerSchool, Classlink, Clever, GG4L, Instructure and D2L.