Governance & Risk Management

CISA Guide Sparks Calls for Software Supplier 'Safe Harbor'

New Security Transparency Guidance Sparks Demands for Supplier Protections
CISA Guide Sparks Calls for Software Supplier 'Safe Harbor'
The U.S. Cybersecurity and Infrastructure Security Agency has pushed in recent years to shift security responsibilities from end users to software manufacturers.

A new guide designed to help the private sector assess software manufacturers' cybersecurity measures is renewing calls to bolster protections for developers who follow White House demands for increased transparency.

See Also: Developing a Next-Level Cyber Insurance Strategy

The U.S. Cybersecurity and Infrastructure Security Agency and FBI released a joint guide Tuesday that calls on private sector organizations to "ask hard questions of their vendors" and gain transparency into due diligence assessments, enterprise risk acceptance decisions and supplier security processes. Software manufacturers should invest in product security efforts like application hardening and to support additional security capabilities that bolster the security posture of end-users, the federal agencies said.

"There's a lot to like in CISA's new secure-by-demand guide," said Jeff Williams, co-founder and chief technology officer of the application security software platform Contrast Security. But there's an issue hindering the administration's attempts to shift security responsibilities from end users to developers, according to Williams: Organizations currently lack the incentives and protections needed to adopt more transparent security practices.

"Software producers are being told they should be radically transparent at the same time they are being pilloried in the marketplace for any security weaknesses," Williams told Information Security Media Group. "Is CISA talking out of both sides of their mouth with secure by design [and] demand on one side, and threats of liability on the other?"

CISA and the FBI detailed a series of secure-by-default practices that can be immediately implemented to improve security for customers. The guide calls for the elimination of default passwords that continue facilitate cyberattacks and tasks developers with conducting security-focused user testing to better understand their products' security posture in the field.

Software suppliers are also encouraged to implement timely and repeated "attention grabbing alerts" when end-users are known to be operating in unsafe digital environments, and to create secure configuration templates that help pre-set certain configurations to secure settings based on a company's individual risk appetite. The latest guide accompanies additional guidance CISA published in early August that aims to streamline software acquisition processes for federal agencies procuring software (see: New CISA Guide Boosts Federal Software Procurement Security).

CISA Director Jen Easterly said in a statement that businesses can "help move the needle by making better risk-informed decisions when purchasing software" and added that the new guidance "will help software customers understand how they can use their purchasing power to procure secure products and turn secure by design into secure by demand."

The administration has pushed to shift security responsibilities back onto software manufacturers in recent years through a number of CISA initiatives, including obtaining voluntary pledges from developers to commit to recommended best practices (see: US Cybersecurity Strategy Shifts Liability Issues to Vendors).

But voluntary pledges without further protections or benefits for the private sector can only go so far, according to Williams.

"If they want to get serious about this 'demand' concept, they need to promote a machine readable way to communicate the details," Williams told ISMG, calling on CISA to "provide a safe harbor for organizations who take this brave step."


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.