CISA and FBI Urge Companies to Demand Secure Products from Software Vendors

A publication titled “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI is intended as a guide for organizations buying software. 

As explained in an article by Anna Ribeiro in Industrial Cyber, it’s intended to help organizations drive a secure technology ecosystem by pressuring software manufacturers to prioritize secure technology by making “secure by design” a core consideration.

“This new guide,” says CISA director Jen Easterly, “will help software customers understand how they can use their purchasing power to procure secure products and turn Secure by Design into Secure by Demand.”    

This publication complements another document published last year by CISA and its partners, which approached the issue from the opposite direction. Rather than addressing software customers, it directed the secure-by-design message to manufacturers.

Organizations are prompted to address product security at three stages of software installation: before procurement, by posing security-minded questions to the manufacturer; during procurement, by addressing security considerations in the contract; and following procurement, by continuous assessment.

Specific suggestions for customers include asking whether the manufacturer has taken up CISA’s “Secure by Design Pledge,” asking whether it facilitates and supports the installation of security patches and whether it enables automatic updates.

Customers should also determine whether the product supports multi-factor authentication or other secure forms of authentication,  like passkeys, “by default and at no cost.”