The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced an update to its secure-by-design principles. The highly anticipated amendment offers more clarity on the implementation of cybersecurity measures.
The announcement was made by CISA director Jen Easterly at the Singapore International Cyber Week conference on Oct. 16.
Throughout this year, the CISA has pushed for better cybersecurity from software manufacturers to be built into their products, having previously published an earlier set of guidelines in April, according to Axios.
The guidelines were aimed at better establishing how software manufacturers can mitigate security vulnerabilities, and also apply to manufacturers of artificial intelligence software systems and models. Some of these, however, might need to be modified for AI, the report states.
The initial set of principles included steps such as allowing for multifactor authentication and the creation of strong passwords when devices are first set up.
The agency has since been collecting feedback from hundreds of end users—as well as from multiple companies and organizations—on the implementation and feasibility of the guidelines.
“This updated guidance includes feedback received from hundreds of individuals, companies, and non-profits,” the report states.
“It expands on the three principles defined in the initial guidance: Take Ownership of Customer Security Outcomes, Embrace Radical Transparency and Accountability, and Lead From the Top,” it adds.
“Thanks to the feedback of hundreds of partners, we have revised this guidance to focus even more on how companies can demonstrate their commitment to secure-by-design principles. To achieve the National Cybersecurity Strategy’s goal of rebalancing the responsibility in cyberspace, customers need to be able to demand more from their vendors—and this joint guidance gives them the tools to do exactly that,” Ms. Easterly said in the report.
Currently still voluntary, the principles set out by the CISA can be viewed as a precursor to the government’s plan to hold software manufacturers liable for any vulnerabilities that could compromise the security of their products.
The recent updates serve to encourage more transparency and accountability on such issues. They also serve to build a corporate structure around implementing the guidelines, and how manufacturers can best gauge the effectiveness of such measures.
“This update highlights how software manufacturers can demonstrate these principles to their customers and the public, emphasizing that software manufacturers must be able to compete on the basis of security,” the report says.
The updates were jointly released with more than a dozen other governments, including with the U.K., Canada, Israel, Japan, and Singapore.
“I am extremely proud of the expansive, insightful, and aligned U.S. and international partnerships that have come together with a shared vision of a future in which technology products are secure by design,” Ms. Easterly said.