So I have a ton of thoughts on the CISA Secure by Design and Secure by Default push that is ongoing, as I am sure many of you do. And the first thought is: This is not a bad way to go about business as a government agency in general. I think it's easy to ignore how fast the USG has changed its business practices, showing an agility that few large organizations can match. In particular using Secure By Design as a case example.

  1. Massive outreach to garner feedback (including at defcon, but also via email, etc.)
  2. Multiple rounds of editing of proposals
  3. Actual people you could call and talk to about the proposal, with their faces and positions listed right in the papers and blogs and lawfare podcasts. If you were in DC today you could probably hit one of them up for drinks or lunch or whatever.
  4. Interaction across multiple stakeholder groups, including internationally
  5. The "right people" involved - and you can tell their backgrounds from what they are annoyed about during their podcasts and other presentations. (i.e. Bob Lord is very annoyed about XSS and obsessed with car safety, which I'll dig into later). But also Jack Cable, Lauren Zabierek and Grant Dasher are all worth listening to.
  6. Clear executive support
So that's all good stuff. I thought I would post it as its own note because it's rare to spend a moment to look at the government process, and not see literally sausage being made. :)

-dave