Software developers who want to sell to the federal government better ensure they are meeting minimum cybersecurity standards, or else, a top federal official said Thursday at the Potomac Officers Club’s 2025 Cyber Summit.
“I’m not going to buy anything that is not ‘Secure by Design,’” said Bridget Bean, senior official performing the duties of the director of the Cybersecurity and Infrastructure Security Agency, in her keynote address. “If people want to do business with the government, they better hear this message: We’re going to enforce security standards that are already in effect.”
What Is Secure by Design?
Secure by Design is a major CISA effort to have software developed to prioritize the security of customers as a core business requirement, rather than treating it as a technical feature. During the design phase of a product’s development lifecycle, CISA wants companies to implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use.
Learn more about critical federal cybersecurity issues at the Potomac Officers Club’s 2025 Army Summit on June 18. Hear directly from leading DOD cyber professionals such as Army Chief Information Officer Leonel Garciga and Defense Logistics Agency CIO Adarryl Roberts. Learn how you can best partner with DOD on cyber campaigns and boost your bottom line. Sign up today!
Bean said CISA will not spend money for security add-ons. The agency will also hold software developers accountable for all the minimum security clauses in a contract, of which she said there are hundreds.
The reason for this, Bean said, is to make it harder for cyber adversaries to operate. Having software designed, developed and deployed with security in mind will better challenge cyber enemies. CISA’s cybersecurity adversaries have it too easy, she said, as they are very patient and exploit vulnerabilities such as weak passwords.
“It should not be the onus, the responsibility, on someone to go enable security features,” Bean said. “These things should just be inherent.”
DHS Prioritizing Cyber
Bean said Homeland Security Secretary Kristi Noem is prioritizing cybersecurity in a holistic approach to homeland security. The U.S., she said, is securing land, air, maritime and cybersecurity borders and CISA is “absolutely” a critical pillar in homeland security.
Noem in April addressed the RSAC conference in San Francisco, a prestigious trade show for cybersecurity professionals. Bean said Noem was the first Department of Homeland Security secretary to speak at RSAC.
What Is CISA 2015?
Bean called for the reauthorization of the Cybersecurity Information Sharing Act of 2015, which authorizes companies to monitor and implement defensive measures on their own information systems to counter cybersecurity threats. It also provides certain protections to encourage companies to voluntarily share information about cyber threat indicators and defensive measures with federal, state and local governments.
Bean said CISA 2015 is important to national security because it allows entities to share information in a safe environment by providing liability and anti-trust protections. The House Homeland Security cybersecurity and infrastructure protection subcommittee planned to hold a hearing on Thursday to discuss reauthorizing CISA 2015.
“(CISA 2015) has really been foundational to some of the most important work we’ve done,” Bean said.
The Potomac Officers Club’s 2025 Army Summit is your opportunity to learn more about cutting-edge cyber topics such as hybrid cloud at the tactical edge and transforming supply chains via an agentic AI workforce. Forge new connections with other GovCon leaders and rekindle old ones. Buy your ticket today!
