The cybersecurity agencies of New Zealand, Australia, the United States, Canada and the United Kingdom have published a joint guidance to help organizations procure secure-by-design technologies.
According to the document “Choosing Secure and Verifiable Technologies,” a purchaser should assess a product and its manufacturer before buying to ensure it is within an organization’s risk tolerance.
Other recommendations include considering security controls to avoid compromising data and ensuring that manufacturers’ information is honest and transparent.
The guidance also informs manufacturers about secure-by-design considerations that could help them attract customers and enhance the security of their technologies.
Manufacturers are advised to have a full and detailed threat model for their organizations and products and services and a supply chain risk management plan. They should also notify customers of any product vulnerabilities and create attestations that their production processes align with a defined security strategy or standard.
The document was authored by the National Cyber Security Centre of New Zealand, the Australian Cyber Security Centre, the U.S. Cybersecurity and Infrastructure Security Agency, the Canadian Centre for Cyber Security, and the United Kingdom’s National Cyber Security Centre.