The US CISA has launched a new phase of its Secure by Design effort in a bid to get manufacturers to incorporate greater security into their software and other products.
CISA, along with 17 U.S. and international partner agencies, rolled out the revised guidance after months of feedback from companies, individuals and non-profit organizations.
CISA plans to issue a request for information to address Secure by Design Engineering and urges software manufacturers to demonstrate evidence that they are incorporating security into their products through the use of artifacts. This includes design documents, developer training certificates, and build logs.
The updated guidance also includes language on how security needs to apply to artificial intelligence software as well.
The burden for security falls on small businesses and individuals who can least afford it. The tech industry focuses on speed to market, driving down costs, and adding cool features instead of emphasizing security, furthering the normalization of misaligned incentives.
The revised guidance includes an emphasis on making sure manufacturers develop products secure by default.
The core strategy is to hold the technology industry accountable for making sure security is built into their products at the development stage and has signaled plans to go to Congress to enforce those ideas into law.
This means software needs to be secure out of the box and does not require customers to make multiple configuration changes or pay additional fees to add security features.
The focus on default security was highlighted by the malicious attack against Microsoft, which led to thousands of State Department and other government emails being stolen by suspected state-backed hackers linked to the China.
Microsoft entered a partnership with CISA to end its policy of charging customers for security logs, after federal officials tipped off the company that it was being hacked.