Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2024-25078
Notice2024-25078

Request for Comment on Product Security Bad Practices Guidance

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
October 29, 2024

Issuing agencies

Homeland Security Department

Abstract

On October 16, 2024, the Cybersecurity Division (CSD) within the Cybersecurity and Infrastructure Security Agency (CISA) published a request for comment in the Federal Register on the voluntary, draft Product Security Bad Practices guidance, which requests feedback on the draft guidance. CISA is extending the comment period for the draft guidance for an additional fourteen days through December 16, 2024.

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 209 (Tuesday, October 29, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 209 (Tuesday, October 29, 2024)]
[Notices]
[Page 85976]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-25078]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2024-0028]


Request for Comment on Product Security Bad Practices Guidance

AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), 
Department of Homeland Security (DHS).

ACTION: Notice of availability; extension of comment period.

-----------------------------------------------------------------------

SUMMARY: On October 16, 2024, the Cybersecurity Division (CSD) within 
the Cybersecurity and Infrastructure Security Agency (CISA) published a 
request for comment in the Federal Register on the voluntary, draft 
Product Security Bad Practices guidance, which requests feedback on the 
draft guidance. CISA is extending the comment period for the draft 
guidance for an additional fourteen days through December 16, 2024.

DATES: The comment period for the proposed voluntary guidance published 
on October 16, 2024, at 89 FR 83508 is extended. Comments and related 
materials must be submitted on or before December 16, 2024.

ADDRESSES: You may submit comments, identified by docket number CISA-
2024-0028, by following the instructions below for submitting comments 
via the Federal eRulemaking Portal at <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
    Instructions: All comments received must include the agency name 
and docket number Docket Number CISA-2024-0028. All comments received 
will be posted without change to <a href="http://www.regulations.gov">http://www.regulations.gov</a>, including 
any personal information provided. CISA reserves the right to publicly 
republish relevant and unedited comments in their entirety that are 
submitted to the docket. Do not include personal information such as 
account numbers, social security numbers, or the names of other 
individuals. Do not submit confidential business information or 
otherwise sensitive or protected information.
    Docket: For access to the docket to read the draft Product Security 
Bad Practices Guidance or comments received, go to <a href="https://www.regulations.gov">https://www.regulations.gov</a>.

FOR FURTHER INFORMATION CONTACT: Kirk Lawrence, 202-617-0036, 
<a href="/cdn-cgi/l/email-protection#54073137212631162d1031273d333a14373d27357a303c277a333b22"><span class="__cf_email__" data-cfemail="12417771676077506b5677617b757c52717b61733c767a613c757d64">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: On October 16, 2024, CISA published a 
request for comment on voluntary, draft Product Security Bad Practices 
guidance (89 FR 83508). In the draft guidance, we provided an overview 
of product security practices that are deemed exceptionally risky, 
particularly for organizations supporting critical infrastructure or 
national critical functions (NCFs), and it provides recommendations for 
software manufacturers to voluntarily mitigate these risks. The 
guidance contained in the document is non-binding, and while CISA 
encourages organizations to avoid these bad practices, the document 
imposes no requirement on them to do so. The draft guidance is scoped 
to software manufacturers who develop software products and services, 
including on-premises software, cloud services, and software as a 
service (SaaS), used in support of critical infrastructure or NCFs. The 
request for comment provided for a 45-day comment period, set to close 
on December 2, 2024. CISA received requests to extend the deadline 
given the Thanksgiving holiday. Therefore, the comment period is now 
open through December 16, 2024.
    This notice is issued under the authority of 6 U.S.C. 652 and 659.

Jeffrey E. Greene,
Executive Assistant Director for Cybersecurity, Cybersecurity and 
Infrastructure Security Agency, Department of Homeland Security.
[FR Doc. 2024-25078 Filed 10-28-24; 8:45 am]
BILLING CODE 9111-LF-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on October 29, 2024.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.