The Cybersecurity and Infrastructure Security Agency (CISA) today released cybersecurity performance goals that the agency said will help to protect the information technology and product design sectors from cyber threats.
The new IT Sector Specific Goals (SSGs) are aligned with CISA’s existing Secure by Design principles – which emphasize building software with security as a core priority – and will help to “identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” the agency said.
The goals are organized by two different categories – software development process goals and product design goals.
CISA’s first set of recommendations for software development includes logging and monitoring access, enforcing phishing resistant multi-factor authentication (MFA) and software security requirements, securing credentials, conducting network monitoring with real-time alerts, managing supply chain risks, providing a software bill of materials, inspecting and addressing source code vulnerabilities, and publishing a vulnerability disclosure policy.
The product design set advises expanding MFA use, minimizing default passwords and vulnerabilities, ensuring timely patches, being transparent about end-of-life products, enabling cyber incident evidence collection, and including weakness and platform enumerations in vulnerability records.
“The IT SSGs help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware. We encourage organizations to review and implement the goals which will benefit and protect the supply chain including consumers,” Jen Easterly, the director of CISA, said in a statement.
“The industry collaboration was critical to shaping goals with highest-impact and guiding organizations to prioritize their efforts. We applaud organizations that are choosing to take ownership of the security outcomes of their customers,” she continued.
When developing the performance goals, CISA said it worked with the IT Sector Coordinating Council.
While the performance goals are voluntary, CISA said that it “encourages product developers to adopt these SSGs to significantly improve the cybersecurity posture of software products, to include those designed for critical infrastructure services, relied upon by our nation.”
