CISA Secure-by-Design and Default Guidance Released

On 13 April 2023, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and nine allied cyber authorities published the Secure by Design, Secure by Default guidance to shift software accountability from end users to technology suppliers. The 40-page playbook sets expectations for memory-safe development, default security controls, transparent vulnerability management, and whole-of-organization culture change, signaling how regulators and major customers will evaluate vendor trustworthiness. Product leaders must translate the principles into release engineering standards, investment plans, and contractual commitments. CISA extended the advisory by launching a Secure by Design pledge that commits signatories to publish memory safety, secure default, and disclosure milestones that regulators can monitor.

Capabilities: Core principles in the guidance

The joint advisory distils three high-level criticals: take ownership of customer security outcomes, embrace radical transparency and accountability, and lead with organizational structure that drives secure design. It outlines practical controls under each pillar, such as eliminating default passwords, enforcing multi-factor authentication (MFA) across all privileged accounts, adopting secure-by-default logging, and providing timely, well-documented patches. The authors also champion a pivot to memory-safe languages (for example, Rust, Go, Java) for new development and when refactoring high-risk components, citing that two-thirds of exploited vulnerabilities stem from memory safety issues.

Vendors are urged to invest in threat modeling during design, automated testing pipelines with coverage for authentication, authorization, and cryptography failures, and telemetry to verify that mitigations remain effective post-deployment. The advisory underscores that core security features should never be paywalled add-ons but part of the base product configuration.

Implementation roadmap for software suppliers

Executives should charter cross-functional programs that translate the guidance into measurable initiatives:

• Portfolio risk assessment. Map existing products against the guidance’s security-by-default checklist, highlighting gaps in MFA enforcement, secure logging, and secure update mechanisms. Prioritize remediation for components embedded in critical infrastructure, healthcare, and government environments.
• Memory safety strategy. Budget for phased rewrites or mitigations where memory-unsafe languages are unavoidable, such as employing compiler hardening, sandboxing, and exploit mitigation features while long-term refactoring plans mature.
• Development lifecycle updates. Embed secure coding standards, automated dependency scanning, and fuzz testing into CI/CD pipelines. Align backlog grooming with threat modeling outputs and ensure security user stories are treated as first-class backlog items.

The guidance insists that vendors ship products with the most secure settings enabled—TLS enforced, audit logging on, secure boot active, and remote management ports disabled—and that customers receive explicit one-click paths to harden residual risk areas. Engineering and UX teams should collaborate so that onboarding flows favor security, offering contextual education rather than burdening operators with complex manual hardening steps.

• Customer communication. Build transparency portals housing SBOMs, vulnerability advisories, and support lifecycles. Provide machine-readable notices and integrate with CISA’s Known Exploited Vulnerabilities catalog to accelerate customer patching.
• Contractual commitments. Update master service agreements to guarantee secure defaults, explicit support timelines, and rapid out-of-band update capabilities for critical flaws.

Governance and accountability expectations

The advisory frames secure-by-design as a leadership responsibility requiring resourcing, incentives, and accountability from board level down. CISA urges executives to measure security investments for customer outcomes rather than vulnerability counts and to tie engineering performance metrics to resilience goals. Companies should designate an accountable executive—often the CTO or CISO—to report quarterly on progress toward the guidance’s benchmarks, with compensation linked to reducing customer exposure time.

Transparency obligations include publishing vulnerability disclosures without NDAs, offering clear product end-of-life roadmaps, and sharing exploit chains with industry partners to shrink response times. The document warns against legal or marketing tactics that downplay security gaps, aligning with global consumer protection enforcement trends.

Sector adoption strategies

• Critical infrastructure vendors. Align design controls with sector-specific regulations such as NERC CIP, IEC 62443, and TSA pipeline directives. Provide configuration baselines that meet CISA Cross-Sector Cybersecurity Performance Goals out of the box.
• Cloud and SaaS providers. Implement tenant isolation, default encryption, and secure API authentication while furnishing customers with audit logs and configuration drift alerts. Offer rapid rollback mechanisms for faulty updates.
• Device and OT manufacturers. Ship secure boot, signed firmware, and protective network defaults. Create field-upgradeable architectures so critical fixes can be delivered without physical service calls.
• Enterprise IT teams. When procuring solutions, bake the guidance into RFP questionnaires and vendor scorecards, requesting evidence of secure defaults, memory-safe coding roadmaps, and independent security testing.

Measurement and validation

To show progress, teams should define KPIs aligned to the guidance:

• Secure configuration coverage. Percentage of products shipping with MFA, role-based access control, and secure logging enabled by default.
• Patch velocity. Median time to issue security fixes after vulnerability discovery and customer adoption rates within 30 days.
• Memory safety adoption. Portion of new code written in memory-safe languages and reduction in memory-corruption vulnerabilities reported.
• Transparency metrics. Time to publish advisories, number of customers subscribing to security bulletins, and third-party assessment participation.

Couple metrics with independent validation, such as SOC 2 Type II attestation, FedRAMP continuous monitoring, or penetration tests witnessed by major customers.

The authors encourage suppliers to publish transparent metrics and roadmaps so customers can verify improvement over time, including annual reports on design changes, penetration test outcomes, and plans to address systemic weaknesses. Treat these disclosures as part of investor relations and customer trust programs, not merely compliance artifacts.

Capture these indicators in dashboards reviewed alongside customer support metrics so security performance stays visible beyond engineering leadership.

Action checklist for the next 90 days

1. Conduct an executive briefing on the secure-by-design guidance, assigning ownership for each principle across engineering, product, legal, and customer success.
2. Audit flagship products against the guidance’s secure-by-default checklist and create a remediation roadmap with funding and timelines.
3. Launch a memory safety working group to prioritize refactoring targets, enable compiler hardening, and establish metrics for memory-related vulnerability reduction.
4. Revise vulnerability disclosure and customer communication processes to align with the transparency expectations and integrate with CISA’s KEV catalog.
5. Request Secure by Design pledge updates from core suppliers and map their published milestones to internal procurement and regulator briefings.

Documentation

• CISA — International partners issue guidance to promote security-by-design and -default (13 April 2023).
• CISA et al. — Secure by Design, Secure by Default (April 2023).
• CISA — CISA calls on software manufacturers to produce secure-by-design products (2022).
• CISA — Known Exploited Vulnerabilities catalog.
• CISA — Cross-Sector Cybersecurity Performance Goals (2022).
• CISA — Secure by Design pledge launch at RSA Conference 2024 (7 March 2024).
• CISA — Secure by Design pledge fact sheet outlining measurable commitments (April 2024).

A New Era of Software Accountability

For too long, software vendors shipped products with known vulnerabilities and called it someone else's problem. CISA's "secure by design" initiative signals that era is ending. The message to technology companies is clear: security is not a feature—it is a fundamental responsibility.

This is not just government guidance; it is a preview of where regulations and liability are headed. Organizations that build security into their development process now will have a competitive advantage as these expectations become requirements.

What This Means for Technology Buyers

If you are purchasing software, you have more use than you think. Ask vendors about their secure development practices. Request evidence of security testing. Make security part of your procurement criteria, not an afterthought.

The vendors that take these questions seriously are the ones worth doing business with. The ones that cannot answer them? That tells you something important about how they'd handle your data.

You may also find useful

Hand-picked articles on adjacent topics.

Governance · Credibility 90/100 · June 21, 2021

Supply-Chain — Google and OpenSSF Introduce SLSA Framework

Google and the Open Source Security Foundation launched the Supply-chain Levels for Software Artifacts (SLSA) framework on June 21, 2021 to define progressive integrity requirements for source, build, and provenance…

Governance · Credibility 92/100 · April 11, 2023

CISA releases Zero Trust Maturity Model v2.0

CISA's Zero Trust Maturity Model v2 in April 2023 refined the framework for federal agencies. Identity, devices, networks, applications, and data pillars with maturity levels. Use it as a benchmark for your zero trust…

Governance · Credibility 73/100 · April 4, 2023

Singapore charities governance

Singapore updated its Charities Code in 2023. Stronger governance expectations for nonprofits: board responsibilities, financial controls, and transparency. If you are running a Singapore charity, review the new…

Governance · Credibility 76/100 · April 24, 2023

Governance — Climate disclosure

HKEX proposed ISSB-aligned climate disclosure rules in April 2023. Hong Kong is following the global trend toward mandatory climate reporting. If you are listed on HKEX, start preparing for the new standards.

Governance · Credibility 90/100 · March 31, 2023

Tse Capital Efficiency Initiative

Tokyo Stock Exchange's capital efficiency initiative in 2023 pushed listed companies to improve price-to-book ratios. Japanese corporate governance reform accelerated with this initiative. Understanding TSE expectations…

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

April 13, 2023

Coverage pillar

Governance

Source credibility

91/100 — high confidence

Topics

Secure by design · Software supply chain · Memory safety · Secure defaults · Vendor accountability

Sources cited

3 sources (cisa.gov, csrc.nist.gov, hitehouse.gov)

Reading time

6 min

Documentation

1. CISA Secure by Design — CISA
2. NIST SSDF — NIST
3. White House Cybersecurity Strategy — White House