The Cybersecurity Coalition and the Coalition to Reduce Cyber Risk (CR2) submitted comments to the Cybersecurity and Infrastructure Security Agency’s (CISA) request for information (RFI) on its whitepaper, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” 

CISA’s secure-by-design initiative aims to make technology safer for consumers through secure development practices and has subsequently released the Principles as a roadmap for software manufacturers to ensure the security of their products. 

The Cybersecurity Coalition and CR2’s responses include similar recommendations on the following topics: 

National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF)

Both the Cybersecurity Coalition and CR2 point to NIST’s SSDF as a framework that is rooted in international standards and received in-depth feedback and widespread adoption, and recommend CISA use the SSDF as the basis of the secure-by-design initiative. 

The Coalition suggests clarifying in the beginning of the whitepaper that the SSDF “serves as the basis for the software development lifecycle and subsequent secure-by-design initiatives.” Additionally, it should be made clear the Principles highlighted in the whitepaper are “taken directly from SSDF and are key areas CISA suggests organizations focus their efforts on when implementing a secure software development approach.” 

CR2 also references the success that NIST’s Cybersecurity Framework (CSF) has had in gaining international adoption by industry and governments, in part because of its mapping to widely utilized international standards. By using the SSDF that similarly ties to international standards, CISA would be leveraging materials that have already been developed with a robust feedback process and would avoid creating potentially duplicative resources for industry partners. 

International Collaboration

While both the Coalition and CR2 commend CISA on their ability to garner international support and sign-on for the most recent version of the whitepaper, both organizations expressed their disappointment with the lack of formal industry engagement reflected during the development of the Principles. 

They note that it is not clear how input provided through this current consultation will be incorporated without another round of agreement and endorsement by international partners, and note that the comment period should have been opened before approaching global counterparts. Additionally, CR2 suggested that CISA conduct a mapping exercise of all the entities that have implemented the Principles, and identify best practices or lessons learned from across the adopters to form what would be an invaluable resource for industry.

Measurements & Shared Responsibility

The Coalition recognized CISA’s intention to identify metrics for measuring the success of implementing the Principles, but suggested a different approach on the kinds of measurements taken. They recommend having early adopters of the Principles provide a roadmap for implementation in a way that fits the entity’s unique risk profile, and potentially form a working group among adopters to identify other methods for measurement. 

The Coalition closed their comments with an emphasis on the importance of the shared responsibility in cybersecurity, and underscored that while developers have a duty to build security into their products, the security of the deployment environments is just as consequential to security outcomes. 

* * *

Both the Cybersecurity Coalition and Coalition to Reduce Cyber Risk support secure software development practices and hope their feedback will be helpful to CISA as they continue their work on the secure-by-design initiative.

‍