Policy Briefing — CISA Secure-by-Design and Default Guidance Released

Executive briefing: On 13 April 2023, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and nine allied cyber authorities published the Secure by Design, Secure by Default guidance to shift software accountability from end users to technology suppliers. The 40-page playbook sets expectations for memory-safe development, default security controls, transparent vulnerability management, and whole-of-organisation culture change, signalling how regulators and major customers will evaluate vendor trustworthiness. Product leaders must translate the principles into release engineering standards, investment plans, and contractual commitments. CISA extended the advisory by launching a Secure by Design pledge that commits signatories to publish memory safety, secure default, and disclosure milestones that regulators can monitor.

Capabilities: Core principles in the guidance

The joint advisory distils three high-level imperatives: take ownership of customer security outcomes, embrace radical transparency and accountability, and lead with organisational structure that drives secure design. It outlines practical controls under each pillar, such as eliminating default passwords, enforcing multi-factor authentication (MFA) across all privileged accounts, adopting secure-by-default logging, and providing timely, well-documented patches. The authors also champion a pivot to memory-safe languages (e.g., Rust, Go, Java) for new development and when refactoring high-risk components, citing that two-thirds of exploited vulnerabilities stem from memory safety issues.

Vendors are urged to invest in threat modelling during design, automated testing pipelines with coverage for authentication, authorisation, and cryptography failures, and telemetry to verify that mitigations remain effective post-deployment. The advisory underscores that core security features should never be paywalled add-ons but part of the base product configuration.

Implementation roadmap for software suppliers

Executives should charter cross-functional programmes that translate the guidance into measurable initiatives:

• Portfolio risk assessment. Map existing products against the guidance’s security-by-default checklist, highlighting gaps in MFA enforcement, secure logging, and secure update mechanisms. Prioritise remediation for components embedded in critical infrastructure, healthcare, and government environments.
• Memory safety strategy. Budget for phased rewrites or mitigations where memory-unsafe languages are unavoidable, such as employing compiler hardening, sandboxing, and exploit mitigation features while long-term refactoring plans mature.
• Development lifecycle updates. Embed secure coding standards, automated dependency scanning, and fuzz testing into CI/CD pipelines. Align backlog grooming with threat modelling outputs and ensure security user stories are treated as first-class backlog items.

The guidance insists that vendors ship products with the most secure settings enabled—TLS enforced, audit logging on, secure boot active, and remote management ports disabled—and that customers receive explicit one-click paths to harden residual risk areas. Engineering and UX teams should collaborate so that onboarding flows favour security, offering contextual education rather than burdening operators with complex manual hardening steps.

• Customer communication. Build transparency portals housing SBOMs, vulnerability advisories, and support lifecycles. Provide machine-readable notices and integrate with CISA’s Known Exploited Vulnerabilities catalog to accelerate customer patching.
• Contractual commitments. Update master service agreements to guarantee secure defaults, explicit support timelines, and rapid out-of-band update capabilities for critical flaws.

Governance and accountability expectations

The advisory frames secure-by-design as a leadership responsibility requiring resourcing, incentives, and accountability from board level down. CISA urges executives to measure security investments in terms of customer outcomes rather than vulnerability counts and to tie engineering performance metrics to resilience goals. Companies should designate an accountable executive—often the CTO or CISO—to report quarterly on progress toward the guidance’s benchmarks, with compensation linked to reducing customer exposure time.

Transparency obligations include publishing vulnerability disclosures without NDAs, offering clear product end-of-life roadmaps, and sharing exploit chains with industry partners to shrink response times. The document warns against legal or marketing tactics that downplay security gaps, aligning with global consumer protection enforcement trends.

Sector adoption strategies

• Critical infrastructure vendors. Align design controls with sector-specific regulations such as NERC CIP, IEC 62443, and TSA pipeline directives. Provide configuration baselines that meet CISA Cross-Sector Cybersecurity Performance Goals out of the box.
• Cloud and SaaS providers. Implement tenant isolation, default encryption, and secure API authentication while furnishing customers with audit logs and configuration drift alerts. Offer rapid rollback mechanisms for faulty updates.
• Device and OT manufacturers. Ship secure boot, signed firmware, and protective network defaults. Create field-upgradeable architectures so critical fixes can be delivered without physical service calls.
• Enterprise IT teams. When procuring solutions, bake the guidance into RFP questionnaires and vendor scorecards, requesting evidence of secure defaults, memory-safe coding roadmaps, and independent security testing.

Measurement and validation

To demonstrate progress, organisations should define KPIs aligned to the guidance:

• Secure configuration coverage. Percentage of products shipping with MFA, role-based access control, and secure logging enabled by default.
• Patch velocity. Median time to issue security fixes after vulnerability discovery and customer adoption rates within 30 days.
• Memory safety adoption. Portion of new code written in memory-safe languages and reduction in memory-corruption vulnerabilities reported.
• Transparency metrics. Time to publish advisories, number of customers subscribing to security bulletins, and third-party assessment participation.

Couple metrics with independent validation, such as SOC 2 Type II attestation, FedRAMP continuous monitoring, or penetration tests witnessed by major customers.

The authors encourage suppliers to publish transparent metrics and roadmaps so customers can verify improvement over time, including annual reports on design changes, penetration test outcomes, and plans to address systemic weaknesses. Treat these disclosures as part of investor relations and customer trust programmes, not merely compliance artefacts.

Capture these indicators in dashboards reviewed alongside customer support metrics so security performance stays visible beyond engineering leadership.

Action checklist for the next 90 days

1. Conduct an executive briefing on the secure-by-design guidance, assigning ownership for each principle across engineering, product, legal, and customer success.
2. Audit flagship products against the guidance’s secure-by-default checklist and create a remediation roadmap with funding and timelines.
3. Launch a memory safety working group to prioritise refactoring targets, enable compiler hardening, and establish metrics for memory-related vulnerability reduction.
4. Revise vulnerability disclosure and customer communication processes to align with the transparency expectations and integrate with CISA’s KEV catalog.
5. Request Secure by Design pledge updates from core suppliers and map their published milestones to internal procurement and regulator briefings.

Sources

• CISA — International partners issue guidance to promote security-by-design and -default (13 April 2023).
• CISA et al. — Secure by Design, Secure by Default (April 2023).
• CISA — CISA calls on software manufacturers to produce secure-by-design products (2022).
• CISA — Known Exploited Vulnerabilities catalog.
• CISA — Cross-Sector Cybersecurity Performance Goals (2022).
• CISA — Secure by Design pledge launch at RSA Conference 2024 (7 March 2024).
• CISA — Secure by Design pledge fact sheet outlining measurable commitments (April 2024).

Related briefings

Curated signals from the same pillar or overlapping topics.

Governance · Credibility 90/100 · June 21, 2021

Supply-Chain Briefing — Google and OpenSSF Introduce SLSA Framework

Google and the Open Source Security Foundation launched the Supply-chain Levels for Software Artifacts (SLSA) framework on June 21, 2021 to define progressive integrity requirements for source, build, and provenance…

Governance · Credibility 40/100 · April 11, 2023

Governance Briefing — CISA releases Zero Trust Maturity Model v2.0

CISA published Zero Trust Maturity Model version 2.0 on 11 April 2023, expanding guidance across five pillars and adding an AI/automation theme to help U.S. federal agencies plan implementations aligned with EO 14028.

Governance · Credibility 40/100 · April 4, 2023

Governance Briefing — April 4, 2023

Singapore’s refreshed 2023 Code of Governance raises expectations on board independence, risk management, fundraising transparency, and data protection under a tiered comply-or-explain regime starting in FY2024.

Governance · Credibility 40/100 · April 24, 2023

Governance Briefing — April 24, 2023

HKEX’s climate disclosure consultation would align issuer reporting with IFRS S2, phasing in Scope 1-3 emissions, scenario analysis, and financed emissions expectations from 2024 financial years.

Governance · Credibility 90/100 · March 31, 2023

Governance Briefing — March 31, 2023

The Tokyo Stock Exchange now expects listed companies to disclose cost-of-capital metrics and board-approved plans for improving valuation, capital efficiency, and investor engagement.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Public-Sector Governance Alignment Playbook — Zeph Tech

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

• Third-Party Governance Control Blueprint — Zeph Tech

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Governance, Risk, and Oversight Playbook — Zeph Tech

  Operationalise board-level governance, risk oversight, and resilience reporting aligned with Basel Committee principles, ECB supervisory expectations, U.S. SR 21-3, and OCC…