Security Snippets: CISA publishes sector-specific cyber performance goals for IT and product design

Last week, the Cybersecurity and Infrastructure Security Agency announced a new set of cyber performance goals (CPGs) tailored to the information technology and product design sector. These voluntary goals are focused on protecting the IT sector from cyber incidents, bolstering incident response preparedness, mitigating vulnerabilities in advance of product release, and enhancing software security.

This guidance is part of CISA’s ongoing initiative to develop sector-specific CPGs, coming alongside the agency’s recently unveiled CPGs for K-12 schools and the chemical sector. CISA Director Jen Easterly has championed CPGs as a tool to “help critical infrastructure sectors significantly strength cybersecurity in the design and development of software and hardware,” and calls upon companies to adopt these goals to “benefit and protect the supply chain.”

The IT Sector Specific Goals (IT SSGs) are focused around 1) software development process goals and 2) product design goals. For each of these topics, CISA proposes specific actions and strategies that entities may wish to take to augment “the cybersecurity posture of software products:”

Software Development Process Goals. CISA recommends a) implementing network segmentation, access controls, and other methods of keeping software development environments separate, b) routinely monitoring and documenting trust relationships related to software environment authorization and access, c) mandating multi-factor authentication (MFA) across all software development environments (especially, phishing resistant MFA), d) creating and maintaining security requirements, e) encrypting sensitive data and source code, f) developing a software supply chain risk management program, g) making a software Bill of Materials that is accessible to customers, and h) issuing a vulnerability disclosure policy, among others.

Product Design Goals. In conjunction with the software development goals, CISA also outlines the importance of a) incorporating MFA into products, b) eliminating default passwords from software products, c) taking action to reduce SQL injection, reduce memory safety, and cross-site scripting (XSS) vulnerabilities, d) promptly providing security patches to customers, and e) giving customers mechanisms to monitor and respond to intrusions impacting a product, along with additional goals oriented to product design.  

While CISA recognizes that each of its recommended actions come with a range implementation costs, CISA takes the position that each of these goals can render a high positive impact on overall product safety. Companies that are seeking to bolster their product security programs may wish to consider whether the recommendations in this CPG provide useful insights for those programs.

Authored by Nathan Salminen and Ryan Campbell.