FORT MEADE, Md. – The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners released an updated Cybersecurity Information Sheet (CSI) to provide additional guidance for technology manufacturers to ensure their products are secure by design and default.
The joint CSI adds guidance to the “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software” report published in April 2023. The new guidance provides more detail on the three secure by design and default principles as they apply to both software manufacturers and their customers.
“We need to continue working together to proactively design, build, and deploy secure products for our critical systems,” said Rob Joyce, NSA Cybersecurity Director. “The implementation of secure by design and default principles not only increases the security posture of manufacturers’ products, but customers as well.”
As indicated in the CSI, the authoring agencies recognize the contributions from private sector partners in advancing secure by design and default implementation. The new CSI is intended to continue enabling international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.
The agencies recommend software manufacturers implement the strategies outlined in the CSI to take ownership of the security outcomes of their customers through secure by design and default principles. The agencies also advise that recommendations in this CSI apply to manufacturers of artificial intelligence (AI) software systems and models.
CISA authored the CSI in collaboration with the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the United Kingdom’s National Cyber Security Centre (NCSC-UK), Germany’s Federal Office for Information Security (BSI), Netherlands’ National Cyber Security Centre (NCSC-NL), the Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ), the Korea Internet & Security Agency (KISA), Israel’s National Cyber Directorate (INCD), Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT), the Network of Government Cyber Incident Response Teams (CSIRT) Americas, the Cyber Security Agency of Singapore (CSA), and the Czech Republic’s National Cyber and Information Security Agency (NÚKIB).
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations