Many organizations, including federal agencies, are already starting to ask whether their technology products are "secure by design."
The Cybersecurity and Infrastructure Security Agency’s “secure by design” pledge might be voluntary. But CISA is hoping customers will help drive the demand for companies to follow through and adopt stronger cybersecurity practices.
CISA announced the pledge in May, with an initial 68 technology companies signed onto the commitments. That number has more than doubled to 140 companies over the last month. Lauren Zabierek, senior advisor in CISA’s cybersecurity division, said the goal is to catalyze action by some of the largest technology companies.
“We really think that this is such a key moment, because these companies are publicly taking ownership of their secure their customers’ security outcomes, which is principle number one in secure by design,” Zabierek said in an interview.
CISA released the initial “secure by design” white paper last April. It has since released several updates. The pledge distills those principles into seven specific goals companies will commit to pursuing within one year of signing. Some of the goals include expanding the use of multifactor authentication, increasing the installation of security patches, and reducing entire classes of vulnerabilities, such as SQL injection.
The voluntary pledge is based on “good-faith” efforts of the companies, rather than any requirements or regulations. “We are not the enforcer of the pledge,” Zabierek noted.
But CISA hopes the public commitments will also lead companies to embrace “radical transparency,” another tenet of “secure by design.”
“We’re hoping that the company’s customers as well as the public and even civil society will be able to evaluate those actions taken,” Zabierek said. “And combining that together, this increased radical transparency . . . will help to shift that market to make sure that security is a core differentiator among products.”
While many technology companies compete on software features and cost, CISA believes the pledge could help demonstrate a “first mover advantage” on security, Zabierek said.
“Even to innovate on security,” she added. “We’ve had heard in the past, ‘These things may harm innovation?’ Well, what if we flipped that on its head? And we started to innovate on security? And then of course customer trust. Companies can build up the trust of their customer base by having more quality products. We think that security and quality are very much related to each other.”
CISA this year is also focusing on “secure by demand” guidance for the customers who buy technology products and services. Zabierek noted federal agencies can help drive the demand for secure products. This month, agencies began collecting “secure software development attestation forms” from third-party software vendors. The form, which was developed by CISA, identifies the minimum security requirements for software used by the government.
Earlier this year, CISA also joined the “Minimum Viable Secure Product” working group. The MVSP is intended to identify key security questions that customers should be asking when buying and using software.
“As we develop that secure by demand approach — which I think will be informed by that minimum viable secure product set of controls — our goal is really to be very, very simple here,” Zabierek said. “Asking the right questions. For example, what could happen with data if a certain control isn’t met?
Making it so that people without a lot of security experience, can still ask that question and understand how the product works.”
Meanwhile, with 140 companies having signed the pledge so far, CISA is urging more technology companies join the initiative.
“We think this is really powerful, because we’re going to learn a lot from each other and we’re going to share information and best practices,” Zabierek said. “And we’re going to continue to really drive progress and momentum forward here.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED