CISA’s Secure by Design Trajectory: 2 Years In
When CISA rolled out the Secure by Design initiative in April 2023, the idea was simple but bold: stop putting the weight of cybersecurity on consumers and small businesses, and shift that responsibility back to the tech companies actually building the software and hardware. Instead of patching security flaws after products hit the market, the plan was to bake in protections from the start.
This wasn’t about strict regulations. Instead, it was part of the Biden administration’s broader cyber strategy, encouraging vendors to voluntarily make security a baseline feature of their products.
Fast forward two years, and things look a lot more uncertain. Leadership changes, pushback from the industry, and a new political climate are all raising questions about whether Secure by Design will keep momentum or quietly fade into the background.
What Secure by Design Was All About
At its core, Secure by Design was about making security the default. Think multi-factor authentication (MFA) turned on by default, better logging without extra fees, and fewer exploitable bugs reaching users in the first place.
The program’s philosophy was clear: security should be part of the product DNA.
Wins So Far
For a voluntary program, Secure by Design scored some early victories.
- Over 250 tech companies signed a seven-part pledge to improve software security.
- Big players like Microsoft and Google started showcasing their progress under the initiative.
- CISA published best-practice guidance and worked with international partners to give the effort global visibility.
These steps helped push the conversation toward one big takeaway: security needs to be designed in, not left for end users to figure out.
Where Industry Drew the Line
Not everyone was thrilled. Many tech execs felt the pledges were inching too close to regulation. They worried about higher costs, slower development, and government creep into their design decisions.
Industry groups pushed back, arguing CISA was blurring the line between voluntary guidance and regulation. That resistance led to a softer final pledge, less binding than what CISA originally envisioned.
Groups like BSA (The Software Alliance) even urged the White House to end what they called “quasi-regulatory actions in cybersecurity.” And while companies like SecurityScorecard voiced support, they noted adoption was slow, only 199 signers in the first year, a small slice of the software industry.
The message was clear: support was there, but only up to a point.
Key Leaders Step Away
The campaign also lost some of its biggest champions. In early 2025, Bob Lord and Lauren Zabierek, two senior advisers who had been central to shaping the initiative, stepped down. Their exits followed the earlier departure of Jack Cable, another well-known contributor.
Their work had made a real difference. Even skeptics admit Secure by Design helped raise standards. But without them inside CISA, keeping momentum won’t be easy.
Politics Shifts the Ground
The return of the Trump administration adds another wrinkle. This White House is far less likely to back pressure campaigns on industry. Recent moves already signal a pullback, like rolling back Biden-era requirements for software vendors to formally attest that they’re using secure development practices. Now, only loose guidance remains.
Industry voices are picking up on the shift. Henry Young of BSA predicted the campaign would “evolve” to balance government and business roles more realistically. Others are blunter: one CISA staffer told Wired that without strong White House support, Secure by Design becomes “toothless.”
In short, the political winds are blowing toward deregulation and business flexibility, not toward stricter software security obligations.
CISA’s Stance Today
Despite the headwinds, CISA isn’t abandoning ship. Acting Director Bridget Bean has doubled down on the message that companies need to build products that are secure out of the box, not pass the costs of weak design onto customers.
At the same time, she hinted that the program will “evolve,” which could mean scaling back, changing form, or simply becoming less visible.
What Could Happen Next
The road ahead for Secure by Design isn’t set in stone. A few possibilities are on the table:
- Lower profile: The pledge keeps going, but with less energy behind it.
- Sunset: The program winds down formally, though the ideas live on.
- Industry-led: Leaders like Bob Lord continue the movement outside government.
Each scenario raises the same big question: who should carry the responsibility for safer software, government, industry, or some mix of both?
Why It Matters
If Secure by Design loses steam, the risks fall back on consumers, small businesses, and the broader supply chain. Insecure products, rushed to market, could keep fueling breaches and attacks. And without strong standards, the gap between proactive companies and lagging ones will only widen.
Still, the initiative has already left its mark. It set expectations that security needs to be designed in, not bolted on. Even if the official program changes or winds down, that cultural shift could continue to influence how products are built and sold.
At a Crossroads
Secure by Design was never just about one pledge or one agency. It’s part of a bigger debate: who should own the responsibility for protecting users in a digital-first world?
With leadership turnover, industry pushback, and a changing political climate, the program’s future is cloudy. But the principles, security from the start, not after the fact, are here to stay.
Here are some related articles that you might find interesting:
Many people still call any malware a “virus,” but in 2025, cyber threats are far more complex. Hackers mix old-school tricks with modern tactics like ransomware, crypto theft, and AI-powered phishing campaigns.
AI now powers 80% of ransomware attacks, making them faster, stealthier, and harder to stop. Learn what this means and how to protect yourself today.