HomeAbout usMediaCIS Press ReleasesCIS, SAFECode Launch Secure by Design Guide to Help Developers Meet National Software Security Expectations

CIS, SAFECode Launch Secure by Design Guide to Help Developers Meet National Software Security Expectations

New white paper offers practical, risk-based guidance aligned with NIST SSDF and CIS Controls

EAST GREENBUSH, N.Y., and WAKEFIELD, Mass., Oct. 23, 2025 – The Center for Internet Security, Inc. (CIS®) and the Software Assurance Forum for Excellence in Code (SAFECode) have released a joint white paper, Secure by Design: A Guide to Assessing Software Security Practices, to help software development organizations meet growing national and international expectations for secure software.

The publication addresses a long-standing gap in cybersecurity: the lack of practical, evaluable, and aligned guidance for building software that is secure by design. It offers actionable steps for developers, end users, and government bodies to assess and improve software security practices across six key areas: secure software design, secure development, secure default configuration, supply chain security, code integrity, and vulnerability remediation.

“Secure by Design is more than a slogan; it’s a responsibility,” said Curtis Dukes, Executive Vice President and General Manager of Security Best Practices at CIS. “This guide gives developers and organizations a clear path to implement secure software practices that are both effective and adaptable across different environments.”

The guide builds on NIST’s Secure Software Development Framework (SSDF) and incorporates SAFECode’s Development Groups (DGs) model to tailor recommendations to organizations of varying maturity levels. It also maps practices to the CIS Critical Security Controls® (CIS Controls®) and identifies responsible roles and artifacts to demonstrate compliance. The paper includes a dedicated section on the security implications of artificial intelligence and machine learning (AI/ML), offering insights into emerging risks and considerations.

“By combining the strengths of CIS, SAFECode, and a community of experts, we’ve created a resource that helps developers move from principles to practice,” said Steve Lipner, Executive Director of SAFECode. “This guide supports risk-based decision-making and helps organizations meet the expectations of initiatives like CISA’s Secure by Design and the EU Cyber Resilience Act.”

The guide responds to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design initiative and supports the mandates related to software security that are outlined in Executive Order 14306, SUSTAINING SELECT EFFORTS TO STRENGTHEN THE NATION’S CYBERSECURITY AND AMENDING EXECUTIVE ORDER 13694 AND EXECUTIVE ORDER 14144, and the relevant portions of Executive Order 14028.

Organizations adopting the practices outlined in the guide may also benefit from existing State safe harbor provisions and compliance frameworks that recognize the use of CIS Controls and NIST SSDF. The guide reinforces the shared responsibility of software developers to deliver secure systems and empowers end users to evaluate software security with confidence.

To arrange an interview with CIS or SAFECode regarding Secure by Design: A Guide to Assessing Software Security Practices, contact [email protected].

 

###

 

About CIS

The Center for Internet Security, Inc. (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks™ guidelines, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) organization, the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®) organization, which supports the rapidly changing cybersecurity needs of U.S. election offices. To learn more, visit cisecurity.org or follow us on X: @CISecurity.

 

About SAFECode:

The Software Assurance Forum for Excellence in Code (SAFECode) is a nonprofit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode brings together leading software companies to share best practices and develop guidance that helps organizations improve the security and integrity of their software. Learn more at safecode.org.