Title: NIST/CISA Secure by Design (SBD) Fundamentals

• Modalities: Virtual | Classroom | Hybrid

• Duration: 2 days

 

Overview 

This course is designed to introduces students to the foundational concepts behind the National Institute of Standards and Technology (NIST) and Cybersecurity & Infrastructure Security Agency (CISA) secure by design and secure by default practices. 

 

Who Should Attend

• Line of Business Leadership

• Non-Technical Managers

• Technical Managers

• Industry Members (e.g., Manufacturing Extension Program, State-Federal Liaisons)

 

Course Agenda

• Day 1 (AM):

  • Introductions

  • What is vulnerable by design

  • What is secure by design

  • What is secure by default

  • What is the relationship with the Secured Software Development Framework (SSDF) and NIST SP 800-218

  • Security principles overview

• Day 1 (PM):

  • Software product security principles detail

    • Principle 1: Take ownership of customer security outcomes

      • Explanation

      • Demonstrating the principle

        • Secure by default practices

          • Eliminate default passwords

          • Conduct field tests

          • Reduce hardening guide size

          • Actively discourage use of unsafe legacy features

          • Implement attention grabbing alerts

          • Create secure configuration templates

        • Secure product development practices

          • Document conformance to a secure SDLC framework

          • Document cybersecurity performance goals (CPG) or equivalent conformance

          • Vulnerability management

          • Responsible use of open source software

          • Provide secure defaults for developers

          • Foster a software developer workforce that understands security

          • Test security incident event management (SIEM) and security orchestration, automation, and response (SOAR) integration

          • Align with zero trust architecture (ZTA)

        • Pro-security business practices

          • Provide logging at no additional charge

          • Eliminate hidden taxes

          • Embrace open standards

          • Provide upgrade tooling

  • Day 2 (AM):

    • Software product security principles detail

      • Principle 2: Embrace radical transparency and accountability

        • Explanation

        • Demonstrating this principle

          • Secure by default practices

            • Publish aggregate security-relevant statistics and trends

            • Publish patching statistics

            • Publish data on unused privileges

          • Secure product development practices

            • Establish internal security controls

            • Publish high-level threat models

            • Publish detailed secure SDLC self-attestations

            • Embrace vulnerability transparency

            • Publish software bills of materials (SBOMs)

            • Publish a vulnerability disclosure policy

          • Pro-security business practices

            • Publicly name a secure by design senior executive sponsor

            • Publish a secure by design roadmap

            • Publish a memory-safety roadmap

            • Publish results

    • Day 2 (PM):

      • Software product security principles detail

        • Principle 3: Lead from the top

          • Explanation

          • Demonstrating this principle

            • Include details of secure by design program in corporate financial reports

            • Provide regular reports to your board of directors

            • Empower the secure by design executive

            • Create meaningful internal incentives

            • Create a secure by design council

            • Create and evolve customer councils

            • Secure by design tactics

            • Secure by default tactics

      • Review

      • Exam

​