in

CISA’s Guidance Is Toothless, Congress Must Hold Software Accountable

CISA just sharpened its “Secure by Design” message, but sharpened words are not the same as sharp teeth. The agency and its partners have updated guidance, nudged vendors with alerts, and kept the pledge program alive. That matters. But it still looks a lot like polite pressure dressed up as policy while American hospitals, utilities, and small businesses keep getting held hostage by sloppy code and the familiar “patch‑and‑pray” cycle.

CISA’s renewed push is real — but voluntary

The Cybersecurity and Infrastructure Security Agency put out updated Secure‑by‑Design guidance that expects vendors to show real evidence of secure development: SBOMs, logging and forensics, vulnerability‑disclosure policies, and clear support windows. CISA even teamed with the FBI and partners to issue alerts aimed at whole classes of flaws, like SQL injection and cross‑site scripting, telling manufacturers to stop shipping these problems in the first place. That’s progress. It’s also the kind of progress that fits neatly into a press release and a PowerPoint slide.

Why evidence matters — and why it’s not enough

Market pressure matters. Federal procurement rules and public pledges can shame some companies into doing the right thing. The White House’s National Cybersecurity Strategy even says we should “shift liability” toward makers who don’t take reasonable precautions. And as Jen Easterly — now CEO of RSAC — put it bluntly: technology manufacturers must take ownership of customer security outcomes. But here’s the rub: all of this remains voluntary. Vendors can sign a pledge, post an “evidence pack,” and still hide behind disclaimers when disaster arrives. Voluntary standards without legal teeth let the lucky and law‑abiding keep the peace while the rest keep shipping vulnerability‑laden products.

Procurement is a blunt but useful lever — Congress must finish the job

The federal government buys a mountain of software. That gives Washington leverage. CISA’s plan to use procurement requirements and public alerts is the right start. But procurement only changes the part of the market that sells to Uncle Sam. What about Main Street, local hospitals, and the water plant down the road? If a vendor can sell insecure code to everyone else and only secure flavors to federal agencies, we’ve only moved the problem. Congress needs to convert these expectations into law: limit unreasonable liability disclaimers, set a standard of care for high‑risk products, and create safe‑harbors for companies that actually meet audit‑style standards. That’s how you change corporate incentives, not by polite memos.

Call the question: accountability, not platitudes

We can stop pretending this is merely a technical problem. It is a policy problem with a market solution. If software makers are free to offload security to customers, insurers, and consultants, then the public pays the price. Manufacturers write the code. Manufacturers should answer when their shortcuts burn down a hospital’s IT or send a city’s water bills spiraling. The choice is clear: keep the current patch‑and‑pray industry where everyone but the maker pays, or give agencies like CISA and Congress the tools to hold vendors to account.

Yes, there are thorny legal and practical issues. Yes, vendors fear open liability. Fine — legislate safe‑harbors tied to measurable practices, not PR pledges. But don’t tell the public that an updated guidance doc is the same as justice. CISA’s updates are welcome, but they are a half‑measure. If policymakers mean to protect Americans, they must move beyond voluntary pledges and make software accountability the rule, not the suggestion. The era of excuses and last‑minute patches has lasted long enough.

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *

Omar Erases $30M From Filing, Comer Demands Records

Omar Erases $30M From Filing, Comer Demands Records

President Trump Calls Ceasefire With Iran Over After Hormuz Attacks

President Trump Calls Ceasefire With Iran Over After Hormuz Attacks