CISA ramps up efforts to shift cybersecurity responsibilities onto software developers

The Cybersecurity and Infrastructure Security Agency is stepping up its calls for software manufacturers to develop products that are secure by design and to take further ownership of customer security outcomes. 

The nation's cyber defense agency published new software security guidance on Monday — along with 17 U.S. and international partners — that urges a paradigm shift of cybersecurity responsibilities from end-users to manufacturers and service providers. 

The joint secure by design guidance includes new recommendations and tools for software manufacturers to demonstrate their commitment to adequate security principles to the public, from conducting field tests and eliminating default passwords, to implementing attention-grabbing alerts and creating secure configuration templates. 

"To achieve the National Cybersecurity Strategy’s goal of rebalancing the responsibility in cyberspace, customers need to be able to demand more from their vendors — and this joint guidance gives them the tools to do exactly that," CISA Director Jen Easterly said in a press release. 

CISA also announced this week that it will be seeking input from key stakeholders over the coming weeks about the updated guidance. The agency said it will issue a request for information on secure by design principles and best practices that companies can take to better protect their software products and end-users. 

CISA published its initial secure by design guidance in April as the White House led a major effort to place further cybersecurity responsibilities on software providers. The administration held a first-of-its-kind summit this summer with K-12 education technology software manufacturers to encourage the development of school software products with enhanced, built-in security measures. 

The latest guidance was issued in tandem with the FBI and National Security Agency, as well as cyber authorities from Australia, Canada, the United Kingdom, Israel, Korea, Japan and more. 

CISA said the goal of the updated guidance is to create a "demand signal" that provides customers with a way to evaluate security protocols and progress among various software manufacturers, and to equip end-users with more transparency around software companies and their cybersecurity measures. 

The guidance also expands on the three key principles CISA outlined as part of its secure by design initiative, including taking ownership for security outcomes, embracing radical transparency and accountability and leading from the top.