Secure by Design v1.1 A Guide to Assessing Software Security Practices

Published on July 9, 2026

Software underpins modern business operations, government services, and everyday technology—and its security is more critical than ever. Despite ongoing progress, many organizations still face a reactive cycle of patching vulnerabilities, managing configurations, and responding to incidents after the fact.

Secure by Design: A Guide to Assessing Software Security Practices v1.1 builds on the original release by providing an updated, practical, and evaluable framework for embedding security into software from the start. Developed by the Center for Internet Security® (CIS®) in collaboration with the Software Assurance Forum for Excellence in Code (SAFECode), this version reflects evolving industry expectations, regulatory drivers, and implementation needs.

What’s New in v1.1

Version 1.1 enhances the original guidance with refinements and updates to help organizations operationalize Secure by Design principles more effectively:

  • Expanded alignment with policy and regulatory drivers
    Reflects evolving requirements tied to U.S. Executive Orders and global initiatives such as the EU Cyber Resilience Act and CISA Secure by Design efforts.

  • Improved integration with NIST SSDF practices
    Strengthens mappings to the Secure Software Development Framework, reinforcing the four core practice areas (prepare, protect, produce, respond).

  • Refined maturity-based implementation guidance
    Further leverages SAFECode’s Development Groups (DGs) model to help organizations scale practices based on capability and maturity.

  • Enhanced artifact-driven verification
    Clarifies how organizations can demonstrate conformance through measurable outputs (documentation, evidence, and controls validation).

  • Stronger focus on risk-based decision making
    Emphasizes prioritization of security activities based on business risk and real-world threat exposure. 

  • Updated coverage of emerging risks (AI/ML and supply chain)
    Expands discussion on modern attack surfaces, including AI/ML systems and software supply chain dependencies. 

What’s Inside

The v1.1 guide builds on the NIST Secure Software Development Framework (SSDF) and integrates:

  • SAFECode’s Development Groups (DGs) maturity model
  • Updated mappings to the CIS Critical Security Controls® (CIS Controls®)
  • Role-based implementation guidance
  • Enhanced artifact-driven verification methods
  • Risk-based evaluation strategies
  • Expanded discussion on artificial intelligence and machine learning (AI/ML)

It also incorporates the latest developments in Secure by Design initiatives led by organizations such as CISA, NIST, and international partners, reinforcing a global shift toward proactive software security.

Who Should Use This Guide

  • Software development organizations – Understand what to implement, how to scale practices by maturity, and how to demonstrate conformance.
  • End users and customers – Learn what to require from vendors and how to evaluate software security claims.
  • Government and industry bodies – Identify measurable criteria for assessing Secure by Design adoption and compliance.

Download Package

The v1.1 guide is delivered as a ZIP archive containing:

  • The full white paper (PDF format)
  • An updated companion spreadsheet (Microsoft Excel format) with:
    • Implementation activities
    • Evidence artifacts
    • Role mappings

Note: When you download Secure by Design: A Guide to Assessing Software Security Practices v1.1, it will open as a ZIP file containing both the white paper and the supporting spreadsheet.

As of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost MS-ISAC services no longer applies.