Request for Comment on Product Security Bad Practices Guidance

Issuing agencies

Abstract

The Cybersecurity Division (CSD) within the Cybersecurity and Infrastructure Security Agency (CISA) requests feedback on draft Product Security Bad Practices guidance. Additionally, CISA requests input on analysis or approaches currently absent from the guidance.

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 200 (Wednesday, October 16, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 200 (Wednesday, October 16, 2024)]
[Notices]
[Pages 83508-83509]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-23869]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2024-0028]


Request for Comment on Product Security Bad Practices Guidance

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: Notice of availability; request for comment.

-----------------------------------------------------------------------

SUMMARY: The Cybersecurity Division (CSD) within the Cybersecurity and 
Infrastructure Security Agency (CISA) requests feedback on draft 
Product Security Bad Practices guidance. Additionally, CISA requests 
input on analysis or approaches currently absent from the guidance.

DATES: Written comments are requested on or before December 2, 2024. 
Submissions received after the deadline for receiving comments may not 
be considered.

ADDRESSES: You may submit comments, identified by docket number CISA-
2024-0028, by following the instructions below for submitting comments 
via the Federal eRulemaking Portal at <a href="http://www.regulations.gov">http://www.regulations.gov</a>.
    Instructions: All comments received must include the agency name 
and docket number Docket Number CISA-2024-0028. All comments received 
will be posted without change to <a href="http://www.regulations.gov">http://www.regulations.gov</a>, including 
any personal information provided. CISA reserves the right to publicly 
republish relevant and unedited comments in their entirety that are 
submitted to the docket. Do not include personal information such as 
account numbers, social security numbers, or the names of other 
individuals. Do not submit confidential business information or 
otherwise sensitive or protected information.
    Docket: For access to the docket to read the draft Product Security 
Bad Practices Guidance or comments received, go to <a href="http://www.regulations.gov">http://www.regulations.gov</a>.

FOR FURTHER INFORMATION CONTACT: Kirk Lawrence; 202-617-0036; 
<a href="/cdn-cgi/l/email-protection#bae9dfd9cfc8dff8c3fedfc9d3ddd4fad9d3c9db94ded2c994ddd5cc"><span class="__cf_email__" data-cfemail="da89bfb9afa8bf98a39ebfa9b3bdb49ab9b3a9bbf4beb2a9f4bdb5ac">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION:

I. Public Participation

    Interested persons are invited to comment on this notice by 
submitting written data, views, or arguments using the method 
identified in the aforementioned ADDRESSES section. All members of the 
public including, but not limited to, specialists in the field, 
academic experts, members of industry, public interest groups, and 
those with relevant economic expertise are invited to comment.

II. Background

    In line with CISA's Secure by Design initiative, software 
manufacturers should ensure security is a core consideration from the 
onset of software development. CISA's draft, voluntary

[[Page 83509]]

Product Security Bad Practices guidance provides an overview of product 
security practices that are deemed exceptionally risky, particularly 
for organizations supporting critical infrastructure or national 
critical functions (NCFs), and it provides recommendations for software 
manufacturers to voluntarily mitigate these risks. The guidance 
contained in the document is non-binding, and while CISA encourages 
organizations to avoid these bad practices, the document imposes no 
requirement on them to do so.
    The draft guidance is scoped to software manufacturers who develop 
software products and services, including on-premises software, cloud 
services, and software as a service (SaaS), used in support of critical 
infrastructure or NCFs.
    By choosing to follow the recommendations in the draft guidance, 
manufacturers will signal to customers that they are taking ownership 
of customer security outcomes, a key secure by design principle.
    CISA strongly encourage all software manufacturers to avoid the 
product security bad practices included in the Product Security Bad 
Practices guidance. The Product Security Bad Practices guidance is co-
sealed with the Federal Bureau of Investigation.

III. List of Topics for Commenters

    CISA seeks comments on the draft Product Security Bad Practices 
guidance, in the following three categories. Note: the categories are 
explained in detail in the draft guidance itself, available at <a href="https://www.cisa.gov/resources-tools/resources/product-security-bad-practices">https://www.cisa.gov/resources-tools/resources/product-security-bad-practices</a>.
    1. Product properties, which describe the observable security-
related qualities of a software product itself. Listed bad practices 
are:
    a. A new product line is developed using a memory unsafe language 
or the manufacturer does not publish a memory safety roadmap by January 
1, 2026.
    b. The product includes user-provided input directly in the raw 
contents of a SQL database query string.
    c. The product includes user-provided input directly in the raw 
contents of an operating system command string.
    d. The product includes default passwords.
    e. The product contains, at the time of release, a component with 
an exploitable vulnerability present on CISA's Known Exploited 
Vulnerabilities (KEV) Catalog.
    f. The product uses open-source software components that have 
critical known exploitable vulnerabilities.\1\
---------------------------------------------------------------------------

    \1\ A critical vulnerability is one that has an Attack Vector of 
``network,'' Privileges Required of ``None,'' does not require user 
interaction, and has a ``high'' impact on at least two of the 
Confidentiality, Integrity, and Availability loss vectors.
---------------------------------------------------------------------------

    2. Security features, which describe the security functionalities 
that a product supports. Listed bad practices are:
    a. The baseline version of the product does not support multi-
factor authentication.
    b. The baseline version of the product does not make audit logs 
available.
    3. Organizational processes and policies, which describe actions 
taken by a software manufacturer to ensure strong transparency in its 
approach to security. Listed bad practices are:
    a. The organization fails to publish Common Vulnerabilities and 
Exposures (CVEs) with Common Weakness Enumerations (CWEs) in a timely 
manner (or at all).
    b. The organization fails to publish a vulnerability disclosure 
policy.
    CISA also welcomes comments on other areas or approaches currently 
absent from the guidance.
    This notice is issued under the authority of 6 U.S.C. 652 and 659.

Jeffrey E. Greene,
Executive Assistant Director for Cybersecurity, Cybersecurity and 
Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2024-23869 Filed 10-15-24; 8:45 am]
BILLING CODE 9111-LF-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>