Leading the Way with Radical Transparency

Today, the Administration announced the U.S. Cyber Trust Mark, an Internet of Things (IoT) labeling initiative led by the Federal Communications Commission and the National Institute of Standards and Technology. The initiative will give consumers a way of understanding whether IoT products meet a cybersecurity baseline to improve overall safety. At CISA, we heartily applaud this effort and are excited to work with both our public and private sector partners to continue to embrace such transparency for a safer and more secure nation. 

We talk a lot about a future where market forces drive stronger security, but to make this a reality, we need to be able to evaluate products based on their security. And we certainly haven’t made that easy for customers to date. As it stands, too often security claims are written by marketing teams and not based on actual evidence. For instance, marketing teams often claim “military grade encryption” when in reality, military grade encryption is no different from standard encryption, but how could a hospital system, a water treatment facility, or a school district know this?  

In April, CISA, along with nine domestic and international partners, released a Secure by Design white paper, detailing our collective vision for a more secure future where technology manufacturers assume more of the burden of security. A key principle in that document – that manufacturers must embrace radical transparency and accountability – is particularly relevant to today’s Cyber Trust Mark announcement, and one of the reasons we at CISA are so enthusiastic about it. This initiative will enable customers to understand more about the security of devices they are considering purchasing, and ultimately, gravitate to more secure products, just as nutrition labels help customers make healthier choices about the food they buy at the grocery store. 

Radical transparency can take many forms—from security labeling, to a software provider publishing statistics on adoption of multi-factor authentication, to a technology manufacturer writing a blog post on their efforts to eliminate an entire class of vulnerability from their codebases—but all are important for a holistic understanding of our individual as well as our collective cybersecurity posture. 

We are now working on the next iteration of our Secure by Design guidance, which will detail ways that technology manufacturers can demonstrate their adherence to Secure by Design principles, including radical transparency. If you happen to be attending DEFCON this summer, we will be hosting a workshop inviting the security community to provide feedback. You can also reach out to us at SecureByDesign@cisa.dhs.gov with your thoughts.