The Cybersecurity and Infrastructure Security Agency this week released voluntary cybersecurity performance goals for the information technology and product design sector. While specific to IT, the goals provide software and product developers in all critical infrastructure sectors with minimum foundational practices to guide their cybersecurity efforts, the agency said.
According to a CISA summary, recommended actions include:
- Logically separate all software development environments from each other using controls such as network segmentation and access controls.
- Regularly log, monitor and review trust relationships used for authorization and access across software development environments.
- Require multi-factor authentication — ideally phishing-resistant MFA — to access all software development environments.
- Establish and enforce security requirements for software products used across software development environments.
- Do not store sensitive data or credentials in source code. Instead, store sensitive data and credentials in an encrypted manner, such as using a secret manager.
- Establish a software supply chain risk management program.
The goals “help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware,” CISA Director Jen Easterly said. “We encourage organizations to review and implement the goals which will benefit and protect the supply chain including consumers.”