The Cybersecurity and Infrastructure Security Agency’s Secure by Design initiative has made significant progress in its first year [2], shifting security responsibility from end users to technology manufacturers and raising awareness of secure design principles.


The initiative [1] [2], which celebrated its first anniversary in April [1], has achieved several milestones [2]. CISA has provided guidance on implementing secure design principles [1], introduced liability for software providers [1] [2], and required secure development practices for companies supplying software to the federal government [2]. Secure designs have been integrated into public procurement processes, and customers are being encouraged to prioritize secure design. However, there is room for improvement in providing detailed guidance on threat modeling [1] [2]. Moving forward [1] [2], CISA plans to understand economic forces impacting software security and incorporate security into educational programs [2].


Overall, the Secure by Design initiative has successfully made secure design a priority in the software development industry [2], earning a grade of B+. With continued efforts to address areas for improvement and incorporate security into educational programs, the initiative is poised to have a lasting impact on software security practices.