November 7, 2023 at 07:00AM
Secure-by-design is becoming a regulatory requirement for critical infrastructure, as outlined in the March 2023 National Cybersecurity Strategy. The concept is important to the federal government, and it is expected to be enforced through an Executive Order. However, there is currently no universally agreed-upon definition or way to measure secure-by-design. CISA has published principles and guidelines, but more work is needed to develop a comprehensive specification and enforceable regulations. Developers should start preparing for secure-by-design requirements now.
The meeting notes discuss the concept of “secure-by-design” and its potential implications for developers and critical infrastructure. It is mentioned that secure-by-design is becoming important to the federal government and may become a regulatory requirement enforced through an Executive Order. However, the term secure-by-design is currently undefined and lacks a standardized specification.
Various industry experts and vendors provide their own interpretations of secure-by-design. Microsoft describes it as implementing security and privacy throughout the development process, while other vendors emphasize the importance of making security a priority from the beginning and implementing best practices.
The consensus is that secure-by-design is currently just a label used by vendors, without a universally applicable definition or measurable process. To address this, a formalized process applicable to all product development could be established, potentially based on the guidance provided by CISA in collaboration with other cybersecurity authorities.
CISA’s guidance defines secure-by-design as building technology products that reasonably protect against malicious cyber actors and includes a set of principles and best practices for developers. However, a more comprehensive and enforceable set of required practices would still need to be developed.
The meeting notes also mention the need to consider secure-by-design for hardware, not just software. The inclusion of hardware in secure-by-design efforts is necessary as secure software running on insecure hardware is not effective. However, specifying a universally enforceable and measurable process for hardware is more complex than for software.
The ultimate goal is to have a secure-by-design specification that provides a playbook for product developers. The NIST Secure Software Development Framework (SSDF) is a starting point for software, but further work is needed to fully develop and enforce a secure-by-design specification.
When it comes to regulation, options include mandatory or voluntary regulations, regular audits, or ongoing self-assessments. The procurement side could require the purchase of products complying with secure-by-design specifications, and false claims could result in loss of business. The specifics of CISA’s intentions and enforcement methods are unclear, but it is evident that secure-by-design is a long-term project for the agency.
In October 2023, CISA published updated secure-by-design principles, incorporating feedback from various stakeholders and expanding on the initial guidance. The project has gained the participation of eight additional international cybersecurity agencies, indicating continued progress and collaboration in the development and implementation of secure-by-design principles. Developers should anticipate the increasing importance of secure-by-design and start preparing for its potential regulatory requirements.