On May 9, 2024, the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), in collaboration with the US Cybersecurity Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (CCCS), the UK National Cyber Security Centre (NCSC-UK), and New Zealand National Cyber Security Centre (NCSC-NZ), jointly published guidance titled 'Secure-by-Design Choosing Secure and Verifiable Technologies.'

The guidance outlines the cybersecurity considerations for organizations procuring digital products and services. Further, the guidance provides recommendations for manufacturers and service providers on how they can enhance the cybersecurity of their products.

Secure-by-design

The guidance recommends that manufacturers should adopt the principle of 'secure-by-design' which integrates cybersecurity considerations throughout the product development lifecycle. According to the guidance, this approach encourages manufacturers to address potential cyber threats early by incorporating mitigation strategies directly into the design and architecture of their products, therefore improving product security and protecting user data and privacy.

Secure-by-default

The guidance outlines a two-stage approach to procurement, pre-purchase and post-purchase assessments, that enables organizations to evaluate the security standards of technology products before integration into their systems. The guidance emphasizes the importance of selecting products that are 'secure-by-default,' meaning they offer robust security features by default, reducing the need for additional configurations, and lowering the risk of vulnerabilities.

Additionally, the guidance encourages organizations to assess their internal cybersecurity policies, frameworks, and infrastructure to ensure compatibility and adequacy in addressing potential risks associated with new procurements.

You can read the press release here and the guidance here.