Press Release

CISA Releases New Sector Specific Goals for IT and Product Design

Released
Related topics:
Cybersecurity Best Practices

Guidance helps all organizations strengthen security in software development life cycle

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) released new voluntary cybersecurity performance goals for the information technology (IT) and product design sector. The IT Sector Specific Goals (SSGs) are aligned to Secure by Design principles and will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security. CISA worked extensively with the IT Sector Coordinating Council (IT SCC) to develop these goals. Through the IT SCC, subject matter experts, associations, and other key partners provided critical, beneficial input and supported the development process.

While specific to the IT sector, the goals provide software and product developers in all critical infrastructure sectors with minimum foundational practices upon which they should focus their efforts. Recommended actions include:

  • Logically separate all software development environments from each other using controls such as network segmentation and access controls.
  • Regularly log, monitor, and review trust relationships used for authorization and access across software development environments.
  • Require multi-factor authentication (MFA)—ideally phishing resistant MFA—to access all software development environments.
  • Establish and enforce security requirements for software products used across software development environments.
  • Do not store sensitive data or credentials in source code. Instead, store sensitive data and credentials in an encrypted manner, such as using a secret manager.
  • Establish a software supply chain risk management program

“The IT SSGs help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware. We encourage organizations to review and implement the goals which will benefit and protect the supply chain including consumers,” said CISA Director Jen Easterly, “The industry collaboration was critical to shaping goals with highest-impact and guiding organizations to prioritize their efforts. We applaud organizations that are choosing to take ownership of the security outcomes of their customers.”

CISA encourages product developers to adopt these SSGs to significantly improve the cybersecurity posture of software products, to include those designed for critical infrastructure services, relied upon by our nation. For more information, visit Cybersecurity Performance Goals on CISA.gov. 

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on XFacebookLinkedIn, Instagram

Related Articles