{"id":2236,"date":"2023-12-20T22:02:54","date_gmt":"2023-12-20T22:02:54","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78620"},"modified":"2023-12-20T22:02:54","modified_gmt":"2023-12-20T22:02:54","slug":"cisa-seeking-comments-on-its-secure-by-design-guidance","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/12\/20\/cisa-seeking-comments-on-its-secure-by-design-guidance\/","title":{"rendered":"CISA seeking comments on its \u2018secure by design\u2019 guidance"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v21.7 (Yoast SEO v21.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>CISA seeking comments on its \u2018secure by design\u2019 guidance | FedScoop<\/title> <meta name=\"description\" content=\"The Cybersecurity and Infrastructure Security Agency is looking for feedback on its \u201csecure by design\u201d white paper, which pushes software manufacturers to follow more stringent security principles in the design and development of all products shipped to customers.&nbsp;\"> <link rel=\"canonical\" href=\"https:\/\/fedscoop.com\/cisa-secure-by-design-white-paper-rfi\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA seeking comments on its \u2018secure by design\u2019 guidance\"> <meta property=\"og:description\" content=\"The agency\u2019s request for information on its software security white paper \u201cacknowledges that security by design is not easy,\u201d and that additional comments from manufacturers and other interested parties are needed.\"> <meta property=\"og:url\" content=\"https:\/\/fedscoop.com\/cisa-secure-by-design-white-paper-rfi\/\"> <meta property=\"og:site_name\" content=\"FedScoop\"> <meta property=\"article:published_time\" content=\"2023-12-20T21:57:50+00:00\"> <meta property=\"article:modified_time\" content=\"2023-12-20T21:59:54+00:00\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"FedScoop \u00bb Feed\" href=\"https:\/\/fedscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"FedScoop \u00bb Comments Feed\" href=\"https:\/\/fedscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/fedscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1701905043g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/fedscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1701205643g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/fedscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1702656561g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/fedscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/fedscoop.com\/wp-json\/wp\/v2\/posts\/75344\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/fedscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.2\">\n<link rel=\"shortlink\" href=\"https:\/\/fedscoop.com\/?p=75344\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/fedscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Ffedscoop.com%2Fcisa-secure-by-design-white-paper-rfi%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/fedscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Ffedscoop.com%2Fcisa-secure-by-design-white-paper-rfi%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-75344 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/fedscoop.com\/cisa-secure-by-design-white-paper-rfi\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.427752293578\">\n<div class=\"single-article__header-content\" readability=\"33.146417445483\">\n<p> The agency\u2019s request for information on its software security white paper \u201cacknowledges that security by design is not easy,\u201d and that additional comments from manufacturers and other interested parties are needed. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"640\" height=\"401\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.webp?resize=640%2C401&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"CISA Director Jen Easterly speaks at the CrowdStrike Government Summit on April 11, 2023. (Scoop News Group photo)\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png 2160w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=300,188 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=768,481 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=1024,641 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=1536,961 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=2048,1282 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=600,376 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=268,168 268w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=538,337 538w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=1078,675 1078w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.png?resize=1347,843 1347w\" sizes=\"auto, (max-width: 1078px) 100vw, 1078px\"><figcaption> CISA Director Jen Easterly speaks at the CrowdStrike Government Summit on April 11, 2023. (Scoop News Group photo) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"22.234690386589\"><body readability=\"45.078613693998\"><\/p>\n<p>The Cybersecurity and Infrastructure Security Agency is looking for feedback on its \u201csecure by design\u201d white paper, which pushes software manufacturers to follow more stringent security principles in the design and development of all products shipped to customers.&nbsp;<\/p>\n<p>CISA initially published its white paper \u2014 \u201c<a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-06\/principles_approaches_for_security-by-design-default_508c.pdf\">Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software<\/a>\u201d \u2014 in April but released <a href=\"https:\/\/www.cisa.gov\/resources-tools\/resources\/secure-by-design\">updated joint guidance<\/a> with 17 domestic and foreign partners in October following feedback from hundreds of individuals, companies and nonprofits.<\/p>\n<p>With the Wednesday <a href=\"https:\/\/www.federalregister.gov\/documents\/2023\/12\/20\/2023-27948\/request-for-information-on-shifting-the-balance-of-cybersecurity-risk-principles-and-approaches-for\">request for information<\/a> published in the Federal Register, CISA said it \u201cacknowledges that security by design is not easy\u201d and additional comments on the guidance are needed.<\/p>\n<p>\u201cThis white paper is part of a broader campaign across CISA and the federal government to encourage technology manufacturers to prioritize security in their development processes,\u201d the RFI stated. \u201cFor future iterations of guidance, CISA also seeks additional information on the economics of secure development, particularly as compared with the cost of incident response. Additionally, for use in future guidance, CISA seeks information from the public describing how security could be more fully integrated into computer science and software development courses of study.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>CISA noted in the RFI that smaller manufacturers will face challenges in fully adopting the recommendations, but because more companies will now be forced to center more of their attention on secure software development, \u201cthere is room for innovations\u201d that will ideally \u201cnarrow the gap\u201d between the industry\u2019s haves and have nots.<\/p>\n<p>\u201cFurthermore, engineering teams will be able to establish a new, steady-state rhythm in which security is built into the design and takes less effort to maintain,\u201d the RFI said.<\/p>\n<p>Among the many prompts CISA included in the RFI were callouts for feedback on how to better incorporate security into the secure software development lifecycle, how secure-by-design principles can be integrated into computer science education, and general comments regarding the economics of implementing secure-by-design practices and the costliness of software vulnerabilities.&nbsp;<\/p>\n<p>The deadline for comment submissions to CISA\u2019s RFI is Feb. 20, 2024.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.3615107913669\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/12\/cisa-seeking-comments-on-its-secure-by-design-guidance.jpg?w=640&#038;ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Acquisition<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to FedScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/fedscoop.com\/cisa-secure-by-design-white-paper-rfi\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA seeking comments on its \u2018secure by design\u2019 guidance |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,452,1276],"tags":[86,454,1278],"class_list":["post-2236","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-secure-by-design","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-secure-by-design"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/secure-by-design\/\" rel=\"category tag\">secure-by-design<\/a>","tag_info":"secure-by-design","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2236"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2236\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}