Critical Infrastructure Security
CISA Urges IT and Design Sector Software Developers to Improve Cyber Hygiene
The U.S. cyber defense agency is urging software and product developers to isolate software development environments with network segmentation and access controls, monitor trust relationships for authorization and implement supply chain risk management programs that align with a series of IT sector-specific goals.
See Also: How to Take the Complexity Out of Cybersecurity
The Cybersecurity and Infrastructure Security Agency on Tuesday published voluntary cybersecurity performance goals for the IT and product design sector, providing software and product developers across all critical infrastructure sectors with baseline standards for robust cyber hygiene and risk mitigation. The guidance urges developers to adopt CISA’s Secure by Design principles by enforcing phishing-resistant multi-factor authentication for software development environments, setting strict security requirements for software tools and securely storing sensitive data and credentials using encryption or secret managers.
Many practices in CISA’s voluntary requirements have been standard in the industry for decades, particularly secure code development, said to Scott Algeier, executive director of the IT Information Sharing and Analysis Center.
“While reaching these goals is valuable, it is important to understand that no organization has unlimited resources,” Algeier told Information Security Media Group. “Some organizations may have to prioritize certain strategies over others.”
Over the past two years, CISA has led an initiative urging tech manufacturers to embed cybersecurity into product development, publish vulnerability disclosure policies and ensure transparent reporting of vulnerabilities for public testing. At least 68 tech companies joined CISA’s Secure by Design pledge last year, committing to seven goals such as adopting multifactor authentication, eliminating default passwords and key vulnerabilities and improving security patching across their products (see: Technology Giants Join CISA’s Secure by Design Pledge).
The latest guidance includes specific steps to ensure the sector hews to those principles, including making software bills of material available to all customers. The agency acknowledged the high cost and complexity of the recommendation but emphasized its significant impact, describing it as critical to strengthening cybersecurity.
Algeier also suggested that the cost and complexity of providing SBOMs to all customers could pose challenges. “I expect companies will continue to evaluate the value of making SBOMs available on all products to all customers.”
CISA has ramped up guidance to strengthen cybersecurity in software development across critical infrastructure sectors. In October, it partnered with the FBI to warn against “exceptionally risky practices,” such as using memory-unsafe languages in new product lines, citing threats to national security and critical infrastructure (see: CISA Unveils ‘Exceptionally Risky’ Software Bad Practices).
In a statement, CISA Director Jen Easterly said the new sector-specific goals “help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware.” She added that organizations should “review and implement the goals which will benefit and protect the supply chain including consumers.”