CISA Joins the Minimum Viable Secure Product Working Group


By: Jack Cable, Senior Technical Advisor and Bob Lord, Senior Technical Advisor

Today, we’re excited to announce that CISA is joining the Minimum Viable Secure Product (MVSP) Working Group. Since launching CISA’s global Secure by Design initiative last year, we’ve received a tremendous amount of feedback (including through our Request for Information that recently closed!).

One of the key questions we’ve gotten is how organizations consuming software can ask the right questions of their software manufacturers. Such a “secure by demand” approach is crucial to drive the uptake of secure by design principles and practices.

Too often, procurement questionnaires are filled with long lists of questions which don’t always correlate with positive security outcomes. In order to achieve a future where technology is secure by design, companies buying software should have simple and to the point questions for their vendors.

The MVSP is an important step forward toward this goal. MVSP offers a simple checklist that organizations can use to strengthen security at multiple stages – to review their software vendors’ security during procurement, as a self-assessment tool for their own software, as part of their software development lifecycle (SDLC), or as contractual controls – which can go a long way towards helping ensure secure by design principles are followed. We’re excited to join the MVSP working group to help shape the direction of the initiative going forward. The MVSP is a composed of a broad coalition of technology manufacturers, and the working group is open for anyone to join.

We’ve provided input into the MVSP based on CISA’s Secure by Design guidance and are glad to be part of this effort to further build on our existing work. Through CISA’s Secure by Design guidance, including our Secure by Design whitepaper and Secure by Design Alert series, we’re making it clear how technology manufacturers can take ownership of their customer’s security outcomes, leading to a safer future.

For more information on secure by design, check out CISA’s Secure by Design website. As always, you can get in touch with us at

Disclaimer: CISA does not endorse any commercial entity, product, company, or service, including any entities participating in the MVSP Working Group. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.