CISA's Updated Guidance: Choosing Secure & Verifiable Technologies

The world of cybersecurity just got a crucially needed update, courtesy of a global collaboration. The Cybersecurity and Infrastructure Security Agency (CISA), alongside the Australian Signals Directorate's Australian Cyber Security Centre (ASD ACSC) and their international partners, has unveiled updated guidance for Choosing Secure and Verifiable Technologies. This piece of guidance is not just an advisory but an imperative blueprint for organizations navigating the stormy seas of tech procurement and cybersecurity threats.

---

What’s This Guidance All About?​

This document provides organizations with a roadmap to ensure that the technology they procure is Secure by Design. Governments and agencies, including CISA, are pushing the narrative from reaction to prevention—engaging cybersecurity at the earliest stages of the product life cycle rather than as an afterthought.

Who’s Backing This?​

The partnership spans multiple national cybersecurity bodies, including:

• Canadian Centre for Cyber Security (CCCS)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)
• New Zealand’s National Cyber Security Centre (NCSC-NZ)
• Republic of Korea’s National Intelligence Service (NIS) and its National Cyber Security Centre (NCSC)

This coalition underscores the shared goal of stemming the tide of rising cyber threats that compromise privacy, disrupt organizations, and inflate costs globally.

---

Modern Threats Need Modern Solutions​

The cybersecurity landscape has evolved with alarming speed. Cybercriminals and nation-state actors aren’t just exploiting vulnerabilities—they’re targeting foundational aspects of supply chains and procurement. These threats demand a shift in how technology solutions are acquired and validated.
Here’s the sitch: Many organizations fail to factor in cybersecurity until something breaks, leading to costly response measures. This guidance offers a proactive framework to integrate security into the procurement process.

• Specify security requirements upfront: Include clear requirements for cybersecurity in Requests for Proposal (RFPs), contracts, and technical specifications.
• Assess vendors thoroughly: Evaluate vendors not simply for their feature sets, but for their security credentials, development processes, and incident response policies.
• Mitigate supply chain risks: Demand traceable, transparent origins of software and hardware. Avoid ambiguous supply chains—these often hide latent vulnerabilities.

---

What’s New in the Update?​

This isn’t the first move by CISA and its partners toward building secure systems. However, the updated guidance reinforces practices that are essential for the challenges organizations face in today’s ransomware-addled world.
Unlike previous iterations, this version sharpens its focus on:

1. Secure by Design Philosophy: Emphasizing that manufacturers should build security into their products from day one. Gone are the days when security was an add-on feature—it must be inseparable from the core.
2. Global Coordination: By collaborating with agencies from Canada, the UK, New Zealand, and South Korea, this guidance reflects international cybersecurity best practices rather than region-specific inclinations.
3. Practical Implementations: The guidance includes tangible steps for organizations of all sizes to adopt, reducing the barrier to action.

---

Secure by Design: The Guiding Light​

The concept of Secure by Design isn’t new, but it's gaining prominence as organizations scramble to adapt to an unforgiving threat landscape. Essentially, Secure by Design means baking security right into the creation process of a product or service.

Key Principles​

• Least-Privilege Access: Implement mechanisms allowing individuals or systems to perform only those specific actions they need.
• Secure Default Settings: Ensuring systems and software are secure out-of-the-box without requiring extensive configuration.
• Continuous Security Validation: Real-time monitoring and validation to confirm that systems remain secure even as environments evolve.
• Transparency: Track issues and communicate clearly about patches, updates, and risks.
• Adoption of Zero-Trust Architecture: Assume no system or user can be inherently trusted.

---

Why Should You Care?​

If you’re thinking, “This sounds great, but how does it affect me directly?”—here’s the kicker. The updated guidelines could save your organization millions in breach costs. By ensuring cybersecurity is a built-in feature rather than a bolted-on solution, organizations can better withstand attacks.
Beyond cost, let’s talk about trust. Technology today is intrinsically linked to brand credibility. A vendor compromised by inadequate security practices can potentially torpedo your organization’s reputation.
More practically:

• Software Manufacturers: Are encouraged to adopt these principles to ensure their products meet future procurement criteria.
• Businesses: Can avoid being caught in contract tangles by using this guidance to evaluate partners/vendors.
• Consumers & Governments: Gain safer products and services, knowing organizations are adhering to a high bar of security.

---

Understanding Supply Chain Risks​

Supply chain attacks, where bad actors compromise software or hardware via its inception or in transit, have become mainstream in the post-SolarWinds world. The goal with this updated guidance is to formalize methods that make it much harder for such breaches to succeed.
Here’s an example of what secure technology supply chain practices might look like:

1. Source Code Transparency: Ensure mandatory audits of the source code provided by vendors.
2. Tamper-Proof Delivery Systems: Control over how software packages are compiled, delivered, and updated.
3. Continuous Monitoring of Vendors: Establish procedures where continuous security health checks are done on third-party systems.

---

What You Can Do Moving Forward​

Whether you're an enterprise executive, a software developer, or merely a tech enthusiast, this guidance makes it clear: Security is everyone’s responsibility, and achieving it requires a collective push. Here’s a cheat sheet for where to start:

1. Check Out the Full Guidance: Read the advisory from CISA and its partners to align your practices with Secure by Design principles.
2. Audit Your Supply Chains: Even if you're a user and not a provider, ask your vendors about their compliance with these standards.
3. Embed Security In Contracts: If procuring any hardware/software, make cybersecurity clauses non-negotiable.
4. Engage in Continuous Improvement: Reevaluate how your organization’s security posture aligns with evolving global standards.
5. Explore Tools on CISA’s Website: Resources like “Secure by Design” are tailor-made to get you from zero to hero in adopting these principles.

---

One Small Step for Your Organization, One Giant Leap for Cybersecurity​

The updated guidance for Choosing Secure and Verifiable Technologies isn’t a box to check but a critical investment in resilience for your systems. Ignore it at your own peril—cybercriminals won’t.
So, go ahead and take that step toward setting up procurement policies and practices that don’t just save money, but save your organization from disaster. A proactive approach today could make all the difference tomorrow.
For any additional queries, head to CISA’s Secure by Design webpage and dive into their trove of tailored resources. It’s time to bid goodbye to cybersecurity headaches and say hello to smarter, safer systems—no aspirin required.

---

Source: CISA ASD’s ACSC, CISA, and US and International Partners Release Guidance on Choosing Secure and Verifiable Technologies