Initiative "Secure by Design" from CISA in uncertainty following departures of major figures
The Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design initiative, launched in April 2023 to encourage software makers to prioritise cybersecurity, continues to progress despite recent departures of key figures.
The initiative, which has faced uncertainty following the departure of two senior advisers, Bob Lord and Lauren Zabierek, and Jack Cable at the end of the Biden administration, is now under the management of Kirk Lawrence, CISA’s program manager for Secure by Design.
Lawrence has emphasised that Secure by Design is just the starting point for a threat-resilient digital environment, likening it to "locking the front door"—an important first step but not a guarantee against all risks. The framework aims to improve resilience but acknowledges that threat detection and national coordination remain areas needing strengthening within the architecture.
CISA is working on promoting the business benefits of Secure by Design to technology project owners, helping them communicate its value to C-level executives to foster broader organisational support. The broader federal cybersecurity landscape is also pushing for more secure-by-design principles, as reflected in recent executive orders that impose strict deadlines for agencies and contractors to implement updated secure software frameworks led by NIST, due by late 2025.
Technology providers remain engaged with Secure by Design through pledges and ongoing implementation efforts. For example, GitLab, which signed CISA’s Secure by Design pledge over a year ago, is actively improving its multi-factor authentication and other security measures in alignment with the initiative’s goals.
Despite the departures, the Secure by Design initiative has made significant strides in enhancing cybersecurity, as acknowledged by Ari Schwartz, a former White House cyber official. Some people, however, have expressed pessimism about its future.
Acting CISA Director Bridget Bean has urged companies to develop products that are secure by design and remains focused on improving cybersecurity through partnerships. Zabierek, who considered her role at CISA her dream job, has declined to comment for this story but mentioned she would continue working on Secure by Design until administrative leave is determined.
In the midst of these changes, CISA continues to issue best-practices guidance under the Secure by Design banner to help companies improve their software, and it has partnered with other countries to raise global visibility for software security concerns. Large tech companies like Microsoft and Google have also begun publicizing their efforts to improve customer security as a result of the Secure by Design campaign.
Sources: [1] CISA website [2] White House executive orders [3] GitLab blog post [4] CISA press releases
- Privacy and security are paramount concerns for the Cybersecurity and Infrastructure Security Agency (CISA) as they continue to progress with their Secure by Design initiative, even amidst the departures of key figures.
- As part of their efforts to boost support for Secure by Design, CISA is actively promoting the business benefits of the initiative to technology project owners and helping them convey its value to C-level executives.
- The Secure by Design framework, likening it to locking the front door, is just the starting point for a threat-resilient digital environment, and CISA is working alongside technology providers to strengthen their security measures, with companies like GitLab actively improving their multi-factor authentication and security measures in alignment with the initiative's goals.
