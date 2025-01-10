The Cybersecurity and Infrastructure Agency has published guideposts for the IT industry to help improve cybersecurity throughout the software development lifecycle. The guidance, called IT Sector-Specific Goals, or IT SSGs, recommends voluntary cybersecurity steps aligned with Secure by Design principles pinpointing and addressing vulnerabilities in pre-product release and improving incident response and software security, CISA said Tuesday.

The IT SSGs’ recommendations include:

Network segmentation and other controls to segregate the software development ecosystem

Instituting regular logging, monitoring and trust reviews on authorization and access across the software development environments

Providing phishing-resistant multifactor authentication in the access of all software development processes within the ecosystem

Establishing security protocols for software used in the development process

Storing sensitive data and credentials through encryption instead of source code

Creation of a software supply chain risk management plan

Collaborative Guidance Development

The guidance was developed in partnership with the IT Sector Coordinating Council, which is composed of representatives from government agencies and private sector. It complements the broader Cross-Sector Cyber Performance Goals that CISA also developed with government and industry support.

CISA Director Jen Easterly, a Wash100 awardee, is encouraging organizations to implement the agency’s recommendations, which are aimed at supply chain and consumer protection.

“The IT SSGs help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware,” she said.