← Back to all briefings

Governance · Credibility 90/100 · · 2 min read

Policy Briefing — CISA Secure-by-Design and Default Guidance Released

CISA, the FBI, NSA, and international partners published Secure-by-Design and Secure-by-Default guidance on April 13, 2023, calling on software vendors to prioritise memory safety, exploit mitigations, and transparent vulnerability disclosure.

Executive briefing: On the U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and allied agencies issued the Secure-by-Design and Secure-by-Default guidance.CISA advisoryJoint guide The publication outlines expectations for software manufacturers to embed security into product roadmaps, including default configurations, vulnerability handling, and transparent communication. CISA has since launched a Secure by Design pledge that compels vendors to publish memory safety, secure default, and vulnerability disclosure milestones for quarterly oversight.Pledge launchPledge fact sheet

Key recommendations

  • Eliminate default insecure settings. Vendors should ship secure defaults that minimise exposure without customer intervention.
  • Invest in memory-safe languages. Agencies urge migration away from memory-unsafe code where feasible and adoption of exploit mitigations such as Control-Flow Integrity.
  • Streamlined vulnerability disclosure. Vendors must publish clear vulnerability reporting channels, offer SBOMs, and avoid punitive terms for researchers.

Implementation guidance

  • Product roadmaps. Prioritise remediation of insecure defaults, aligning backlog grooming with the guidance’s checklist.
  • Engineering metrics. Track vulnerability remediation timelines, exploit maturity, and memory safety adoption to demonstrate progress.
  • Customer communication. Prepare transparent advisories and changelogs documenting security-impacting updates.

Enablement moves

  • Run cross-functional workshops with product, engineering, and legal teams to map guidance items to existing SDLC controls.
  • Update secure development policies to include memory-safety requirements and security-first backlog triage.
  • Coordinate with procurement teams to require secure-by-design attestations from third-party vendors.
  • Request Secure by Design pledge updates from strategic suppliers and tie their published milestones to executive and regulator briefings.Pledge launchPledge fact sheet
  • Secure by design
  • CISA
  • Software supply chain
  • Product security
Back to curated briefings