Document headings vary by document type but may contain the following:
See the Document Drafting Handbook for more details.
AGENCY:
Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS).
ACTION:
Notice of availability; request for comment.
SUMMARY:
The Cybersecurity Division (CSD) within the Cybersecurity and Infrastructure Security Agency (CISA) requests feedback on draft Product Security Bad Practices guidance. Additionally, CISA requests input on analysis or approaches currently absent from the guidance.
DATES:
Written comments are requested on or before December 2, 2024. Submissions received after the deadline for receiving comments may not be considered.
ADDRESSES:
You may submit comments, identified by docket number CISA-2024-0028, by following the instructions below for submitting comments via the Federal eRulemaking Portal at http://www.regulations.gov.
Instructions: All comments received must include the agency name and docket number Docket Number CISA-2024-0028. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided. CISA reserves the right to publicly republish relevant and unedited comments in their entirety that are submitted to the docket. Do not include personal information such as account numbers, social security numbers, or the names of other individuals. Do not submit confidential business information or otherwise sensitive or protected information.
Docket: For access to the docket to read the draft Product Security Bad Practices Guidance or comments received, go to http://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT:
Kirk Lawrence; 202-617-0036; SecureByDesign@cisa.dhs.gov.
SUPPLEMENTARY INFORMATION:
I. Public Participation
Interested persons are invited to comment on this notice by submitting written data, views, or arguments using the method identified in the aforementioned ADDRESSES section. All members of the public including, but not limited to, specialists in the field, academic experts, members of industry, public interest groups, and those with relevant economic expertise are invited to comment.
II. Background
In line with CISA's Secure by Design initiative, software manufacturers should ensure security is a core consideration from the onset of software development. CISA's draft, voluntary Product Security Bad Practices guidance provides an overview of product security practices that are deemed exceptionally risky, particularly for organizations supporting critical infrastructure or national critical functions (NCFs), and it provides recommendations for software manufacturers to voluntarily mitigate these risks. The guidance contained in the document is non-binding, and while CISA encourages organizations to avoid these bad practices, the document imposes no requirement on them to do so.
The draft guidance is scoped to software manufacturers who develop software products and services, including on-premises software, cloud services, and software as a service (SaaS), used in support of critical infrastructure or NCFs.
By choosing to follow the recommendations in the draft guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key secure by design principle.
CISA strongly encourage all software manufacturers to avoid the product security bad practices included in the Product Security Bad Practices guidance. The Product Security Bad Practices guidance is co-sealed with the Federal Bureau of Investigation.
III. List of Topics for Commenters
CISA seeks comments on the draft Product Security Bad Practices guidance, in the following three categories. Note: the categories are explained in detail in the draft guidance itself, available at https://www.cisa.gov/resources-tools/resources/product-security-bad-practices.
1. Product properties, which describe the observable security-related qualities of a software product itself. Listed bad practices are:
a. A new product line is developed using a memory unsafe language or the manufacturer does not publish a memory safety roadmap by January 1, 2026.
b. The product includes user-provided input directly in the raw contents of a SQL database query string.
c. The product includes user-provided input directly in the raw contents of an operating system command string.
d. The product includes default passwords.
e. The product contains, at the time of release, a component with an exploitable vulnerability present on CISA's Known Exploited Vulnerabilities (KEV) Catalog.
f. The product uses open-source software components that have critical known exploitable vulnerabilities.
A critical vulnerability is one that has an Attack Vector of “network,” Privileges Required of “None,” does not require user interaction, and has a “high” impact on at least two of the Confidentiality, Integrity, and Availability loss vectors.
2. Security features, which describe the security functionalities that a product supports. Listed bad practices are:
a. The baseline version of the product does not support multi-factor authentication.
b. The baseline version of the product does not make audit logs available.
3. Organizational processes and policies, which describe actions taken by a software manufacturer to ensure strong transparency in its approach to security. Listed bad practices are:
a. The organization fails to publish Common Vulnerabilities and Exposures (CVEs) with Common Weakness Enumerations (CWEs) in a timely manner (or at all).
b. The organization fails to publish a vulnerability disclosure policy.
CISA also welcomes comments on other areas or approaches currently absent from the guidance.
This notice is issued under the authority of 6 U.S.C. 652 and 659.
Jeffrey E. Greene,
Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2024-23869 Filed 10-15-24; 8:45 am]
BILLING CODE 9111-LF-P