Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: Cybersecurity agencies publish guidance on secure-by-design procurement

On May 9, 2024, the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), in collaboration with the US Cybersecurity Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (CCCS), the UK National Cyber Security Centre (NCSC-UK), and New Zealand National Cyber Security Centre (NCSC-NZ), jointly published guidance titled 'Secure-by-Design Choosing Secure and Verifiable Technologies.'

The guidance outlines the cybersecurity considerations for organizations procuring digital products and services. Further, the guidance provides recommendations for manufacturers and service providers on how they can enhance the cybersecurity of their products.


The guidance recommends that manufacturers should adopt the principle of 'secure-by-design' which integrates cybersecurity considerations throughout the product development lifecycle. According to the guidance, this approach encourages manufacturers to address potential cyber threats early by incorporating mitigation strategies directly into the design and architecture of their products, therefore improving product security and protecting user data and privacy.


The guidance outlines a two-stage approach to procurement, pre-purchase and post-purchase assessments, that enables organizations to evaluate the security standards of technology products before integration into their systems. The guidance emphasizes the importance of selecting products that are 'secure-by-default,' meaning they offer robust security features by default, reducing the need for additional configurations, and lowering the risk of vulnerabilities.

Additionally, the guidance encourages organizations to assess their internal cybersecurity policies, frameworks, and infrastructure to ensure compatibility and adequacy in addressing potential risks associated with new procurements.

You can read the press release here and the guidance here.