CISA Releases New Security Guidelines for Software Development and Design

The US Cybersecurity & Infrastructure Security Agency (CISA) has published new IT sector-specific goals (IT SSGs) aimed at strengthening cybersecurity measures in software development. Released on January 7, these guidelines include 11 goals for software development processes and seven for product design, representing additional voluntary practices beyond existing cross-sector cybersecurity performance goals (CPGs).

Key Development Process Goals

The guidelines emphasize environment separation as the primary software development process goal. This requires organizations to maintain distinct development, build, test, and distribution environments to prevent unauthorized access to sensitive systems and data.

For product design, the implementation of multifactor authentication (MFA) takes precedence, targeting the reduction of risks associated with password compromises and weak password usage. These goals were developed through collaborative efforts between government agencies, industry groups, and private sector organizations.

Software Development Process Guidelines

The complete set of security goals for software development processes includes:

1. Separation of all software development environments
2. Regular monitoring and review of trust relationships across development environments
3. Mandatory multifactor authentication implementation
4. Establishment of security requirements for software products
5. Secure credential storage and transmission
6. Implementation of effective network monitoring solutions
7. Establishment of supply chain risk management
8. Provision of software bill of materials (SBOM)
9. Source code vulnerability inspection through automated tools
10. Pre-release vulnerability mitigation
11. Publication of vulnerability disclosure policies

Product Design Security Goals

The seven key security goals for product design comprise:

1. Enhanced multifactor authentication implementation
2. Elimination of default passwords
3. Reduction of vulnerability classes
4. Timely security patch delivery
5. Clear end-of-life support communication
6. Inclusion of CWE and CPE fields in CVE records
7. Improved customer access to cybersecurity intrusion evidence

These guidelines, based on CISA’s operational data and current threat landscape research, represent a comprehensive approach to enhancing software security from development through deployment and maintenance phases.

Organizations implementing these guidelines will better position themselves to protect against cyber threats while providing more secure products to their customers. The emphasis on both development processes and product design ensures a holistic approach to software security.