33.3 F
Washington D.C.
Saturday, February 15, 2025

CISA Releases New Sector Specific Goals for IT and Product Design

The Cybersecurity and Infrastructure Security Agency (CISA) released new voluntary cybersecurity performance goals for the information technology (IT) and product design sector on January 7. The IT Sector Specific Goals (SSGs) are aligned to Secure by Design principles and will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security. CISA worked extensively with the IT Sector Coordinating Council (IT SCC) to develop these goals. Through the IT SCC, subject matter experts, associations, and other key partners provided critical, beneficial input and supported the development process.

While specific to the IT sector, the goals provide software and product developers in all critical infrastructure sectors with minimum foundational practices upon which they should focus their efforts. Recommended actions include:

  • Logically separate all software development environments from each other using controls such as network segmentation and access controls.
  • Regularly log, monitor, and review trust relationships used for authorization and access across software development environments.
  • Require multi-factor authentication (MFA)—ideally phishing resistant MFA—to access all software development environments.
  • Establish and enforce security requirements for software products used across software development environments.
  • Do not store sensitive data or credentials in source code. Instead, store sensitive data and credentials in an encrypted manner, such as using a secret manager.
  • Establish a software supply chain risk management program

“The IT SSGs help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware. We encourage organizations to review and implement the goals which will benefit and protect the supply chain including consumers,” said CISA Director Jen Easterly, “The industry collaboration was critical to shaping goals with highest-impact and guiding organizations to prioritize their efforts. We applaud organizations that are choosing to take ownership of the security outcomes of their customers.”

CISA encourages product developers to adopt these SSGs to significantly improve the cybersecurity posture of software products, to include those designed for critical infrastructure services, relied upon by our nation. For more information, visit Cybersecurity Performance Goals on CISA.gov.

The original announcement can be found here.

Homeland Security Today
Homeland Security Todayhttp://www.hstoday.us
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

Latest Articles