The Cybersecurity and Infrastructure Agency has published guideposts for the IT industry to help improve cybersecurity throughout the software development lifecycle. The guidance, called IT Sector-Specific Goals, or IT SSGs, recommends voluntary cybersecurity steps aligned with Secure by Design principles pinpointing and addressing vulnerabilities in pre-product release and improving incident response and software security, CISA said Tuesday.
The IT SSGs’ recommendations include:
- Network segmentation and other controls to segregate the software development ecosystem
- Instituting regular logging, monitoring and trust reviews on authorization and access across the software development environments
- Providing phishing-resistant multifactor authentication in the access of all software development processes within the ecosystem
- Establishing security protocols for software used in the development process
- Storing sensitive data and credentials through encryption instead of source code
- Creation of a software supply chain risk management plan
Collaborative Guidance Development
The guidance was developed in partnership with the IT Sector Coordinating Council, which is composed of representatives from government agencies and private sector. It complements the broader Cross-Sector Cyber Performance Goals that CISA also developed with government and industry support.
CISA Director Jen Easterly, a Wash100 awardee, is encouraging organizations to implement the agency’s recommendations, which are aimed at supply chain and consumer protection.
“The IT SSGs help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware,” she said.