CISA, NSA, FBI, and International Partners Release Updated Secure by Design Guidance

Today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) released an update to Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by- Design and -Default with the following international partners:

• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)
• Germany’s Federal Office for Information Security (BSI)
• Netherland’s National Cyber Security Centre (NCSC-NL)
• Norway's National Cyber Security Center (NCSC-NO)
• Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ)
• Korea Internet & Security Agency (KISA)
• Israel’s National Cyber Directorate (INCD)
• Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT)
• Network of Government Cyber Incident Response Teams (CSIRT) Americas
• Cyber Security Agency of Singapore (CSA)
• Czech Republic’s National Cyber and Information Security Agency (NÚKIB)

This update to the original April 2023 guidance provides additional recommendations for software manufacturers—including manufacturers of artificial intelligence software systems and models—to improve the security of their products. Specifically, the update expands upon the following secure-by-design principles for manufacturers:

• Take ownership of customer security outcomes.
• Embrace radical transparency and accountability.
• Lead from the top.

CISA and its partners strongly encourage all software manufacturers read the updated guidance as well as the CISA blog post about the update. For more information and future updates, see Secure by Design.