CISA’s challenge to a major stakeholder in the “Cyber Harmony” Model- The Manufacturer


In our pursuit of increased collaboration among construction, facilities, and IT, it becomes crucial for all stakeholders, including software manufacturers deploying products in the built environment, to integrate security features into their offerings.  The “Cyber Harmony” model reveals that manufacturers play a pivotal role among the key stakeholders, contributing significantly to the industry’s progression toward achieving genuine Cyber Harmony.

In late December 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a Request for Information (RFI) to gather insights on secure-by-design software practices. This initiative aligns with the agency’s ongoing global campaign, urging software manufacturers to prioritize secure design and revamp their development programs.  Although there is a push for cybersecurity awareness throughout commercial real estate and all of its stakeholders, I believe that we can all agree that a push for manufacturers to develop more secure devices is a great start.

Some The Key Points:

  • CISA’s RFI, published in the Federal Register, seeks information to enhance its Secure by Design campaign.
  • Topics include integrating security early into the software development life cycle (SDLC), education, recurring vulnerabilities, AI, operational technology (OT), and addressing the economics of secure design.
  • CISA emphasizes the need for diverse perspectives and feedback to strengthen its campaign.
  • The President’s National Cybersecurity Strategy calls for a shift in security responsibility from customers to software manufacturers.
  • Co-sealed by 18 U.S. and international agencies, CISA’s Secure by Design guidance aims to reduce cybersecurity burdens on customers.
  • The RFI seeks feedback on effective security tactics in the SDLC, with a focus on smaller software manufacturers struggling to implement robust practices.
  • Input is requested on examples of educational initiatives linking commercial entities, universities, and online programs to enhance security knowledge.
  • CISA inquires about the costs incurred by manufacturers in developing secure-by-design products and seeks information on how vulnerabilities impact both manufacturers and customers.
  • The RFI addresses customer perceptions of security and explores ways customers request secure products.
  • Recurring vulnerabilities are a focal point, with CISA seeking input on barriers to elimination and changes to CVE and CWE programs.
  • Threat modeling, especially in OT systems, is highlighted, seeking examples of public threat models and best practices for demonstrating robust threat modeling programs.
  • CISA urges manufacturers and stakeholders to provide written comments by Feb. 20, 2024, to inform future iterations of their whitepaper and collaborative efforts with the global community.

In conclusion, the information gathered through CISA’s Request for Information (RFI) serves as a crucial resource for enhancing the cybersecurity of Operational Technology (OT) deployments. By addressing key areas such as integrating security into the software development life cycle, education, recurring vulnerabilities, and threat modeling in OT systems, the insights obtained can guide the development of more cyber-secure OT solutions.

The emphasis on diverse perspectives, feedback from manufacturers, and understanding the economic aspects of secure design contributes to a comprehensive approach. Ultimately, this initiative facilitates the creation of robust, secure-by-design OT deployments, aligning with CISA’s global campaign to reduce cybersecurity burdens on customers and foster a safer technological landscape.

Greg is currently the Business Development Leader for Building IoT and Integration for Cochrane Supply & Engineering. In 2022, Greg was was appointed to the role of Executive Director for the Real Estate Cyber Consortium (RECC), promoting “cyber harmony” through leadership and insight on best practices, policies, and procedures for real estate owners, operators, and solution providers.

More to explorer