This report sends a strong signal indicating the end of cybersecurity status quo practices and the shift to more modern, powerful and effective "Cyber Risk Management" practices for "business resilience" designed to identify and avoid risk in the digital ecosystem used across critical infrastructure sectors that the status quo, and the status quo pundits, fail to address. Organizations no longer have to blindly trust software and digital products, now they can determine if these products and their producers are following CISA Secure by Design and Secure by Default practices using CISA guidance and an easy 4 step process to get started. I look forward to working with the new administration to advance these modern, effective "Cyber Risk Management" practices across critical infrastructure, through public-private partnerships managed by CISA's NRMC leadership team and energy industry visionaries, like Tom Fanning .
There is a lot to like in this plan from the ONCD official adoption and endorsement of CISA's Secure by Design and Secure by Default principles and practices - ref initiative A6 in the implementation plan document. These recommendations are also in alignment with others within the energy industry that aim to improve cybersecurity protections as the energy transition evolves.
It's very easy for an organization to check that vendors and products are implementing CISA Secure by Design and Secure by Default practices following the simple 4 step process described in this article.
A pilot project proposal has been submitted to EPRI that will demonstrate the very concepts described in this ONCD implementation plan pertaining to Secure by Design and Secure by Default requirements/goals. A findings report will be produced identifying any obstacles encountered and solutions needed to address any identified obstacles/issues affecting both vendors and consumers.. A set of Recommendations to ease "Secure by Design" and "Secure by Default" implementations will also be produced. The ultimate goal of this pilot project is to identify what is needed to secure the software supply chain from cyber-risks in the digital ecosystems used by critical infrastructure sector operators, starting with the Electric Grid, leading to more refined and complete "Cyber Risk Management" policies and practices in support of Business Risk Management best practices. Findings will also be presented to CISA's ICT_SCRM Task Force Software Assurance Work Group for consideration in the next release of the Software Acquisition Guide (V2).
EPRI Project Proposal
November 15, 2024
Business Cyber Guardian a Reliable Energy Analytics LLC company is proposing to work with one energy industry entity serving in the role of a software consumer to implement a CISA “Secure by Design” pilot following CISA Software Acquisition Guide practices ( https://cisa.gov/sag ) and one software vendor serving in the role of software supplier to demonstrate and document the effective use of CISA Software Supply Chain Risk Management Secure by Design practices to identify trustworthy software products.
Â