Interview by Deb Radcliff, editor of TalkSecure, hosted by CodeSecure and syndicated at YouTube, Bright Talk, and Security Boulevard
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released its Secure by Demand Guide for technology buyers to drive adoption of its established Secure by Design guidance for product manufacturers.
The CISA’s Secure-by-Demand guidelines lay out product-related questions and requests for artifacts that buyers request from their vendors before they acquire new products.
In this interview, Dick Brooks explains how each of these guidelines supports the other. He also offers implementation advice and sheds light on some of the controversy surrounding OT vendors not taking the secure-by-design pledge. Watch the interview here.
As the cofounder and lead software engineer at Business Cyber, Dick helped co-author the CISA’s Secure by Design Software Acquisition Guide, and is actively involved in these and other CISA efforts to secure the software supply chain.
“CISA has been very supportive with a buyer’s acquisition guide, a spreadsheet to track their vendor’s implementation of these concepts and to verify that the principals are being followed by the vendors, along with fact sheets, and other documentation,” he explains. (See links at end of abstract.)
As to the controversy around OT vendors signing the secure-by-design pledge, he suggests that the small number of vendors who are holding back on signing the secure by design pledges are already certified on an older IE 62443 standard for OT vendor certification. Yet, that certification doesn’t require secure by default (part of the secure-by-design pledge) or Software Bills of Materials (SBOMs), which are required elements of the CISA guidelines.
In this discussion, we also talk about how legal liability for not releasing secure products is slowly shifting to the vendor, with some government agencies like SEC and FDA leading the charge in the U.S., not to mention a recent update to include software liability in the EU Product Liability Directive (effective summer of 2026).
His advice: “Follow whatever your regulator’s doing because they’re the ones who will come knocking on your door someday.”
Resources:
Signup to attend the CISA Secure Software Acquisition Guide WEBINAR on November 14, 1:00-2:00 PM ET.
If you have a Linked In account, watch CISA director Jen Easterly talk about shifting software security responsibility to product vendors in a two-minute interview with NSA (National Security Agency).
Read Deb’s latest update on the EU Cyber Resilience Act.
CISA’s Software Acquisition Guide documentation:
Software Acquisition Guide for Government Enterprise Consumers
Software Acquisition Guide for Government Enterprise Consumers Spreadsheet
