CISA seeks input on upcoming guidance for product security flaws

SeniorTechInfo
2 Min Read

The US Cybersecurity and Infrastructure Security Agency (CISA) Seeks Public Input on Product Security Bad Practices Guidance

As part of its ongoing Secure by Design initiative, the US Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a draft guidance document aimed at addressing product security practices that pose significant risks to organizations supporting critical national infrastructure (CNI) or national critical functions (NCFs).

The upcoming Product Security Bad Practices guidance will offer recommendations for software manufacturers developing a wide range of products and services, including on-premises software, cloud services, and software as a service (SaaS). While these recommendations are non-binding, they are intended to help organizations voluntarily mitigate potential security risks.

Key Focus Areas

The guidance, co-developed by CISA’s Cybersecurity Division (CSD) and the FBI, is organized into three key categories:

  1. Product properties: Identifying security-related qualities of software products, such as default passwords and known exploitable vulnerabilities.
  2. Security features: Evaluating the security functionalities that products support, including factors like unsupported multifactor authentication and unavailable audit logs.
  3. Organizational processes and policies: Assessing manufacturer actions related to security transparency, such as the presence of vulnerability disclosure policies and reporting mechanisms.

CISA is actively seeking feedback from stakeholders on the draft guidance, encouraging input on any analysis or approaches currently missing from the document. The agency aims to create a comprehensive resource that addresses the most critical security concerns facing modern organizations.

By engaging with the guidance, manufacturers can demonstrate their commitment to prioritizing customer security outcomes—a foundational principle of the Secure by Design initiative.

Interested parties are invited to contribute their thoughts and suggestions by December 2, 2024, in order to help shape the final version of the Product Security Bad Practices guidance.

For more information on the Secure by Design initiative and the importance of incorporating cybersecurity considerations early in the product development process, check out Security By Design – A Promising Approach to Cybersecurity.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *