NIST/CISA Secure by Design (SBD) Fundamentals
Training Course
Title: NIST/CISA Secure by Design (SBD) Fundamentals
-
Modalities: Self-Paced Online
-
Live Instructor-Led: By Request
-
-
Duration: 2 days
Overview
This course is designed to introduces students to the foundational concepts behind the National Institute of Standards and Technology (NIST) and Cybersecurity & Infrastructure Security Agency (CISA) secure by design and secure by default practices.
Who Should Attend
-
Line of Business Leadership
-
Non-Technical Managers
-
Technical Managers
-
Industry Members (e.g., Manufacturing Extension Program, State-Federal Liaisons)
Course Agenda
-
Day 1 (AM):
-
Introductions
-
What is vulnerable by design
-
What is secure by design
-
What is secure by default
-
What is the relationship with the Secured Software Development Framework (SSDF) and NIST SP 800-218
-
Security principles overview
-
-
Day 1 (PM):
-
Software product security principles detail
-
Principle 1: Take ownership of customer security outcomes
-
Explanation
-
Demonstrating the principle
-
Secure by default practices
-
Eliminate default passwords
-
Conduct field tests
-
Reduce hardening guide size
-
Actively discourage use of unsafe legacy features
-
Implement attention grabbing alerts
-
Create secure configuration templates
-
-
Secure product development practices
-
Document conformance to a secure SDLC framework
-
Document cybersecurity performance goals (CPG) or equivalent conformance
-
Vulnerability management
-
Responsible use of open source software
-
Provide secure defaults for developers
-
Foster a software developer workforce that understands security
-
Test security incident event management (SIEM) and security orchestration, automation, and response (SOAR) integration
-
Align with zero trust architecture (ZTA)
-
-
Pro-security business practices
-
Provide logging at no additional charge
-
Eliminate hidden taxes
-
Embrace open standards
-
Provide upgrade tooling
-
-
-
-
-
Day 2 (AM):
-
Software product security principles detail
-
Principle 2: Embrace radical transparency and accountability
-
Explanation
-
Demonstrating this principle
-
Secure by default practices
-
Publish aggregate security-relevant statistics and trends
-
Publish patching statistics
-
Publish data on unused privileges
-
-
Secure product development practices
-
Establish internal security controls
-
Publish high-level threat models
-
Publish detailed secure SDLC self-attestations
-
Embrace vulnerability transparency
-
Publish software bills of materials (SBOMs)
-
Publish a vulnerability disclosure policy
-
-
Pro-security business practices
-
Publicly name a secure by design senior executive sponsor
-
Publish a secure by design roadmap
-
Publish a memory-safety roadmap
-
Publish results
-
-
-
-
-
Day 2 (PM):
-
Software product security principles detail
-
Principle 3: Lead from the top
-
Explanation
-
Demonstrating this principle
-
Include details of secure by design program in corporate financial reports
-
Provide regular reports to your board of directors
-
Empower the secure by design executive
-
Create meaningful internal incentives
-
Create a secure by design council
-
Create and evolve customer councils
-
Secure by design tactics
-
Secure by default tactics
-
-
-
-
Review
-
Exam
-
-
-