CISA publishes security goals for software development process, product design

The US Cybersecurity & Infrastructure Security Agency (CISA) has published IT sector-specific goals (IT SSGs) to protect against cyber threats, including 11 software development process goals and seven product design goals.

Published January 7, the Information Technology (IT) Sector-Specific Goals were based on CISA operational data and research on the current threat landscape. The IT SSGs are additional voluntary practices with high-impact security actions beyond cross-sector cybersecurity performance goals (CPGs).

The number-one software development process goal cited is to separate all environments used in software development—including development, build, test, and distribution environments—to prevent unauthorized access to sensitive data and systems. The number-one goal for secure product design cited is to increase the use of multifactor authentication (MFA) to reduce the risk of password compromise or utilization of weak passwords. The goals were developed in collaboration with government, industry groups, and private sector groups.

The complete list of security goals for the software development process:

Separate all environments used in software development.

Regularly log, monitor, and review trust relationships used for authorization and access across software development environments.

Enforce multifactor authentication (MFA) across software development environments.

Establish and enforce security requirements for software products used across software development environments.

Securely store and transmit credentials used in software development environments.

Implement effective perimeter and internal network monitoring solutions with streamlined, real-time alerting to aid responses to suspected and confirmed cyber incidents.

Establish a software supply chain risk management program.

Make a software bill of materials (SBOM) available to customers.

Inspect source code for vulnerabilities through automated tools or comparable processes and mitigate known vulnerabilities prior to any release of products, versions, or update releases.

Address identified vulnerabilities prior to product release.

Publish a vulnerability disclosure policy.

The complete list of security goals for software product design:

Increase the use of multifactor authentication (MFA).

Reduce default passwords.

Reduce entire classes of vulnerabilities.

Provide customers with security patching in a timely manner.

Ensure customers understand when products are nearing end-of-life support and security patches will no longer be provided.

Include common weakness enumeration (CWE) and common platform enumeration (CPE) fields in every common vulnerabilities exposures (CVE) record for the organization’s products.

Increase the ability for customers to gather evidence of cybersecurity intrusions affecting the organization’s products.