CISA Unveils New Cybersecurity Goals for IT and Product Design Sector

The Cybersecurity and Infrastructure Security Agency (CISA) has recently released new voluntary cybersecurity performance goals for the information technology (IT) and product design sector. These Sector Specific Goals (SSGs) are designed to strengthen security in the software development lifecycle and protect critical infrastructure from cyber threats.

Key Objectives

The IT SSGs aim to:

1. Protect the sector from cyber incidents
2. Identify and address vulnerabilities before product release
3. Improve incident response capabilities
4. Enhance overall software security

Software Development Process Goals

Environment Separation

Organizations should logically separate all software development environments, including development, build, test, and distribution. This separation helps prevent unauthorized access to sensitive data and systems, reducing the risk of lateral movement or privilege escalation between environments.

Monitoring and Logging

Regular logging, monitoring, and reviewing of trust relationships used for authorization and access across software development environments is crucial. This practice helps detect and mitigate lateral movement, privilege escalation, insider threats, and data exfiltration attempts.

Multi-Factor Authentication

Enforcing multi-factor authentication (MFA), preferably phishing-resistant MFA, for accessing all software development environments is essential. This significantly reduces the risk of unauthorized access and improves overall security.

Secure Credential Storage

Organizations should avoid storing sensitive data or credentials in source code. Instead, they should use encrypted storage methods, such as secret managers, to protect sensitive information.

Product Design Goals

Increasing MFA Usage

Products should be designed to encourage and increase the use of MFA among users. This can be achieved by implementing MFA by default, using "seat belt chimes" to nudge users towards enabling MFA, and supporting standards-based single sign-on (SSO).

Eliminating Default Passwords

Products should not use default passwords. Instead, they should implement more secure approaches, such as providing random, instance-unique initial passwords or requiring users to create strong passwords during installation.

Reducing Vulnerability Classes

Organizations should work towards reducing entire classes of vulnerabilities in their products. This can be achieved by implementing parameterized queries, transitioning to memory-safe languages, and utilizing web template frameworks.

Timely Security Patching

Providing customers with security patches in a timely manner is crucial. Organizations should also ensure that customers are aware when products are nearing end-of-life support and security patches will no longer be provided.

Additional Considerations

1. Establish a software supply chain risk management program.
2. Make a Software Bill of Materials (SBOM) available to customers.
3. Implement effective perimeter and internal network monitoring solutions.
4. Publish a vulnerability disclosure policy and address disclosed vulnerabilities promptly.

Industry Collaboration

CISA Director Jen Easterly emphasized the importance of industry collaboration in shaping these goals. The agency worked closely with the IT Sector Coordinating Council (IT SCC) and other key partners to develop these guidelines.

Relevance to SMBs

Small and medium-sized businesses (SMBs) should pay particular attention to these guidelines, as they are often targets of cyber attacks. Targeted phishing attacks are one of the leading cybersecurity threats that SMBs should prepare for. Implementing these CISA guidelines can help SMBs strengthen their cybersecurity posture.

Future of Cyber Attacks

As the threat landscape continues to evolve, it's crucial for organizations to stay ahead of potential risks. Future of cyber attacks highlight the importance of proactive cybersecurity measures. By following CISA's guidelines, organizations can better prepare for and mitigate emerging threats.

Conclusion

CISA's new Sector Specific Goals for the IT and product design sector provide a comprehensive framework for improving cybersecurity practices. By implementing these guidelines, organizations can significantly enhance their security posture, protect critical infrastructure, and contribute to a more resilient digital ecosystem.