Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
Share:
secure by design, secure by default

Secure by Design, Secure by Default

It's time to build cybersecurity into the design and manufacture of technology products.
Find out here what it means to be secure by design and secure by default.

As America’s Cyber Defense Agency, CISA is charged with defending our nation against ever-evolving cyber threats and to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. But, as we introduce more unsafe technology to our lives, this has become increasingly difficult.  

As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives. Americans need a new model to address the gaps in cybersecurity—a model where consumers can trust the safety and integrity of the technology that they use every day.

CMU Speech of Jen Easterly

Government cannot solve this problem alone. Technology manufacturers must increasingly embrace their role in putting consumer safety first. Technology providers and software developers must take the first step to shift this burden by claiming ownership of their customers’ security outcomes.

Featured Content

Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default

Joint U.S. & international guide urging software manufacturers to take necessary steps to ship products that are secure-by-design and -default.

CISA Director Easterly Remarks at Carnegie Mellon University

Unsafe at Any CPU Speed: The Designed-in Dangers of Technology and What We Can Do About It

Stop Passing the Buck on Cybersecurity - Why Companies Must Build Safety Into Tech Products

By CISA Director Jen Easterly and Executive Assistant Director for Cybersecurity Eric Goldstein

CISA’s Cyber Experts Talk Shop on the Need for Safer Tech

Three of CISA’s top cyber experts reflect on what it means to be Secure by Design and Secure by Default and issue call to action to tech manufacturers.

What it Means to Be Secure by Design and Secure by Default

Every technology provider must take ownership at the executive level to ensure their products are both secure by design and secure by default.

What is Secure by Design?

Secure by Design products are those where the security of the customers is a core business requirement, not just a technical feature. Secure by Design principles should be implemented during the design phase of a product’s development lifecycle to dramatically reduce the number of exploitable flaws before they are introduced to the market for broad use or consumption.

What is Secure by Default?

Secure by Default products are those that are secure to use out of the box, with little to no configuration changes and are available at no additional cost, such as multi-factor authentication (MFA), gather and log evidence of potential intrusions, and control access to sensitive information.

Director Easterly's video remarks at CMU

Watch CISA Director Easterly's Remarks at Carnegie Mellon University

Unsafe at Any CPU Speed: The Designed-in Dangers of Technology and What We Can Do About It

Watch the video

Related News and Resources

U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches   

APR 13, 2023 | PRESS RELEASE
Press Release on joint product that outlines clear steps technology providers can take to increase the safety of products used around the world.

Readout: Director Easterly Visits Carnegie Mellon University, Calls for “Radical Change” for Technology Product Safety in Major Address

FEB 27, 2023 | PRESS RELEASE
Emphasizes the need for radical changes to the technology industry so that tech products are both secure-by-design and secure-by-default.

The Cost of Unsafe Technology and What We Can Do About It

MAR 10, 2023 | BLOG
Strong security should be a standard feature of virtually every technology product, and especially those that support the critical infrastructure that Americans rely on daily.

Contact Us

Please share your thoughts by emailing us at: SecureByDesign@cisa.dhs.gov.

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback