top of page

NIST/CISA Secure by Design (SBD) Fundamentals

Training Course

Best NIST/CISA Secure by Design SBD Training Course

Title: NIST/CISA Secure by Design (SBD) Fundamentals

  • Modalities: Virtual | Classroom | Hybrid

  • Duration: 2 days



This course is designed to introduces students to the foundational concepts behind the National Institute of Standards and Technology (NIST) and Cybersecurity & Infrastructure Security Agency (CISA) secure by design and secure by default practices. 


Who Should Attend

  • Line of Business Leadership

  • Non-Technical Managers

  • Technical Managers

  • Industry Members (e.g., Manufacturing Extension Program, State-Federal Liaisons)


Course Agenda

  • Day 1 (AM):

    • Introductions

    • What is vulnerable by design

    • What is secure by design

    • What is secure by default

    • What is the relationship with the Secured Software Development Framework (SSDF) and NIST SP 800-218

    • Security principles overview

  • Day 1 (PM):

    • Software product security principles detail

      • Principle 1: Take ownership of customer security outcomes

        • Explanation

        • Demonstrating the principle

          • Secure by default practices

            • Eliminate default passwords

            • Conduct field tests

            • Reduce hardening guide size

            • Actively discourage use of unsafe legacy features

            • Implement attention grabbing alerts

            • Create secure configuration templates

          • Secure product development practices

            • Document conformance to a secure SDLC framework

            • Document cybersecurity performance goals (CPG) or equivalent conformance

            • Vulnerability management

            • Responsible use of open source software

            • Provide secure defaults for developers

            • Foster a software developer workforce that understands security

            • Test security incident event management (SIEM) and security orchestration, automation, and response (SOAR) integration

            • Align with zero trust architecture (ZTA)

          • Pro-security business practices

            • Provide logging at no additional charge

            • Eliminate hidden taxes

            • Embrace open standards

            • Provide upgrade tooling

    • Day 2 (AM):

      • Software product security principles detail

        • Principle 2: Embrace radical transparency and accountability

          • Explanation

          • Demonstrating this principle

            • Secure by default practices

              • Publish aggregate security-relevant statistics and trends

              • Publish patching statistics

              • Publish data on unused privileges

            • Secure product development practices

              • Establish internal security controls

              • Publish high-level threat models

              • Publish detailed secure SDLC self-attestations

              • Embrace vulnerability transparency

              • Publish software bills of materials (SBOMs)

              • Publish a vulnerability disclosure policy

            • Pro-security business practices

              • Publicly name a secure by design senior executive sponsor

              • Publish a secure by design roadmap

              • Publish a memory-safety roadmap

              • Publish results

      • Day 2 (PM):

        • Software product security principles detail

          • Principle 3: Lead from the top

            • Explanation

            • Demonstrating this principle

              • Include details of secure by design program in corporate financial reports

              • Provide regular reports to your board of directors

              • Empower the secure by design executive

              • Create meaningful internal incentives

              • Create a secure by design council

              • Create and evolve customer councils

              • Secure by design tactics

              • Secure by default tactics

        • Review

        • Exam

bottom of page