I concur with Ross Nodurft:
“We support CISA and other government’s efforts to encourage secure software development practices. We hope that this guidance does not diverge from or create additional expectations around the work happening at CISA and OMB regarding self-attestation to the NIST Secure Software Development Framework,” Ross Nodurft, executive director for the Alliance for Digital Innovation, told Inside Cybersecurity.
As Eric Goldstein indicates
Goldstein said CISA recognizes “that we will never get to a zero condition for vulnerabilities in technology at least for the foreseeable future but the number can be dramatically lowered.”
I agree Mr. Goldstein, which is why it is so perplexing that the CISA Secure by Design document does not specify explicit requirements for vendors to notify consumers ASAP when a new confirmed vulnerability raises the risk of exploitation by cyber-criminals. NIST Guidance provides an SBOM "Vulnerability Disclosure Report" for this very purpose, along with OASIS Security Advisories, which many vendors already support.
IMO, lack of guidance that would require software vendors to notify consumers of risks ASAP is a gaping hole in the Secure by Design concept that needs to be addressed, if CISA is serious about giving consumers "radical transparency" into the trustworthiness of software and the software supply chain and rebalancing cybersecurity risks.