The Cybersecurity and Infrastructure Security Agency is embracing secure software development processes as it looks to set an example for the rest of the federal government and other organizations in embracing “secure-by-design, secure-by-default” principles.
CISA is putting security at the forefront of its development processes as it builds both internal applications and public-facing services across its divisions, according to Steve Pruskowski, deputy associate chief for engineering in CISA’s Office of the Chief Information Officer.
The White House has looked to CISA to lead implementation of many facets of its secure software development guidelines for federal agencies.
“How do we make sure that we are following those guides that we want everyone else to follow so we set the example,” Pruskowski said in an interview with Federal News Network April 12 at a conference hosted by the Institute for Critical Infrastructure Technology.
Pruskowski said CISA’s development efforts are guided by “DevSecOps” principles that introduces security considerations early in the software development process.
“We’re really trying to adopt that agile methodology, agile mindset, DevSecOps culture,” Pruskowski said.
DevSecOps is at the center of a major program proposed in CISA’s fiscal 2024 budget called the “Cyber Analytics and Data System.” CISA is seeking nearly $425 million from Congress in fiscal 2024 for the “CADS” program, which will serve as the cornerstone of the agency’s cyber mission IT infrastructure.
“The program will continue to scale the DevSecOps pipeline to support the rapid development, testing and implementation of CADS capabilities” in 2024, budget documents state.
Beyond CISA’s cybersecurity division, Pruskowski said his organization is focused on instilling secure software development practices across the infrastructure security division, emergency communications, and internal business applications as well.
“It’s really adopting that mindset and that culture across the agency,” he said.
“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” CISA Director Jen Easterly said in a statement. “These secure by design and secure by default principles aim to help catalyze industry-wide change across the globe to better protect all technology users. As software now powers the critical systems and services we collectively rely upon every day, consumers must demand that manufacturers prioritize product safety above all else.”
The guidance lays out specific technical guidance and several core principles software manufacturers can adopt. It encourages companies to adopt “radical transparency and accountability” by, for instance, maintaining up-to-date vulnerability advisories and associated common vulnerability and exposure (CVE) records for their products.
It also encourages companies to “build the right organizational structure by providing executive level commitment for software manufacturers to prioritize security as a critical element of product development.”
DHS community of practice
Within the federal government, agency executives are already considering how to follow secure software practices. The White House last fall directed agencies to adopt secure software development guidelines published by the National Institute of Standards and Technology.
Within the Department of Homeland Security, officials have established a “community of practice” focused on secure software development. Pruskowski said it meets quarterly to share ideas, lessons learned and challenges.
“We’ve got several component very actively participating in that community where we’re sharing ideas, and really starting to make that a more collaborative effort across the department as a whole,” he said. “To see where we can learn from each other . . . what are best practices, where have stumbled in the past, and how can we move forward, collaborating on technologies with that ultimate goal to make sure our systems are secure.”
Pruskowski noted that security teams will need to be open about sharing their experiences, both successes and failures, as agencies aim to adopt a quickly growing body of software security practices and guidance across their organizations, including in places that don’t typically focus on security.
“Really move that culture to be security focused, have a security mindset,” he said. “Even if your primary role is not a security practitioner, so to speak, if you’re a developer or if you’re in contracts, [we need to explain] this is why we need security. This is how we look at security and why it’s important to all of us.”