Request for Comment on Product Security Bad Practices Guidance

Federal RegisterOct 29, 2024

89 Fed. Reg. 85976 (Oct. 29, 2024)

Document Headings

Document headings vary by document type but may contain the following:

the agency or agencies that issued and signed a document

the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to

the agency docket number / agency internal file number

the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions

See the Document Drafting Handbook for more details.

Department of Homeland Security

[Docket No. CISA-2024-0028]

AGENCY:

Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS).

ACTION:

Notice of availability; extension of comment period.

SUMMARY:

On October 16, 2024, the Cybersecurity Division (CSD) within the Cybersecurity and Infrastructure Security Agency (CISA) published a request for comment in the Federal Register on the voluntary, draft Product Security Bad Practices guidance, which requests feedback on the draft guidance. CISA is extending the comment period for the draft guidance for an additional fourteen days through December 16, 2024.

DATES:

The comment period for the proposed voluntary guidance published on October 16, 2024, at 89 FR 83508 is extended. Comments and related materials must be submitted on or before December 16, 2024.

ADDRESSES:

You may submit comments, identified by docket number CISA-2024-0028, by following the instructions below for submitting comments via the Federal eRulemaking Portal at https://www.regulations.gov.

Instructions: All comments received must include the agency name and docket number Docket Number CISA-2024-0028. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided. CISA reserves the right to publicly republish relevant and unedited comments in their entirety that are submitted to the docket. Do not include personal information such as account numbers, social security numbers, or the names of other individuals. Do not submit confidential business information or otherwise sensitive or protected information.

Docket: For access to the docket to read the draft Product Security Bad Practices Guidance or comments received, go to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Kirk Lawrence, 202-617-0036, SecureByDesign@cisa.dhs.gov.

SUPPLEMENTARY INFORMATION:

On October 16, 2024, CISA published a request for comment on voluntary, draft Product Security Bad Practices guidance (89 FR 83508). In the draft guidance, we provided an overview of product security practices that are deemed exceptionally risky, particularly for organizations supporting critical infrastructure or national critical functions (NCFs), and it provides recommendations for software manufacturers to voluntarily mitigate these risks. The guidance contained in the document is non-binding, and while CISA encourages organizations to avoid these bad practices, the document imposes no requirement on them to do so. The draft guidance is scoped to software manufacturers who develop software products and services, including on-premises software, cloud services, and software as a service (SaaS), used in support of critical infrastructure or NCFs. The request for comment provided for a 45-day comment period, set to close on December 2, 2024. CISA received requests to extend the deadline given the Thanksgiving holiday. Therefore, the comment period is now open through December 16, 2024.

This notice is issued under the authority of 6 U.S.C. 652 and 659.

Jeffrey E. Greene,

Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security.

[FR Doc. 2024-25078 Filed 10-28-24; 8:45 am]

BILLING CODE 9111-LF-P