So I have a ton of thoughts on the CISA Secure by Design and Secure by
Default push that is ongoing, as I am sure many of you do. And the first
thought is: This is not a bad way to go about business as a government
agency in general. I think it's easy to ignore how fast the USG has changed
its business practices, showing an agility that few large organizations can
match. In particular using Secure By Design as a case example.
   1. Massive outreach to garner feedback (including at defcon, but also
   via email, etc.)
   2. Multiple rounds of editing of proposals
   3. Actual people you could call and talk to about the proposal, with
   their faces and positions listed right in the papers and blogs and lawfare
   podcasts. If you were in DC today you could probably hit one of them up for
   drinks or lunch or whatever.
   4. Interaction across multiple stakeholder groups, including
   internationally
   5. The "right people" involved - and you can tell their backgrounds from
   what they are annoyed about during their podcasts and other presentations.
   (i.e. Bob Lord is very annoyed about XSS and obsessed with car safety,
   which I'll dig into later). But also Jack Cable, Lauren Zabierek and Grant
   Dasher are all worth listening to.
   6. Clear executive support
So that's all good stuff. I thought I would post it as its own note because
it's rare to spend a moment to look at the government process, and not see
literally sausage being made. :)
-dave