The US Cybersecurity & Infrastructure Security Agency (CISA) has taken a significant step towards enhancing cybersecurity in the IT sector by publishing 18 sector-specific goals for software development and product design. These goals, released on January 7, aim to provide additional voluntary practices with high-impact security actions to protect against cyber threats.

The IT Sector-Specific Goals (IT SSGs) are based on CISA's operational data and research on the current threat landscape. They are designed to go beyond the cross-sector cybersecurity performance goals (CPGs) and provide more specific guidance for the IT sector. The goals were developed in collaboration with government, industry groups, and private sector organizations, ensuring a comprehensive and well-rounded approach to cybersecurity.

In terms of software development, the 11 goals focus on securing the development process, including separating environments used in software development, regularly logging and reviewing trust relationships, and enforcing multifactor authentication. Other goals include establishing security requirements for software products, securely storing and transmitting credentials, and implementing effective perimeter and internal network monitoring solutions.

One of the key goals for software development is to separate all environments used in software development, including development, build, test, and distribution environments, to prevent unauthorized access to sensitive data and systems. This goal is critical in preventing cyber threats that can compromise sensitive information.

In addition to software development, the IT SSGs also include seven goals for secure product design. These goals focus on reducing the risk of password compromise or utilization of weak passwords, reducing default passwords, and reducing entire classes of vulnerabilities. Other goals include providing customers with security patching in a timely manner, ensuring customers understand when products are nearing end-of-life support, and including common weakness enumeration (CWE) and common platform enumeration (CPE) fields in every common vulnerabilities exposures (CVE) record.

The number-one goal for secure product design is to increase the use of multifactor authentication (MFA) to reduce the risk of password compromise or utilization of weak passwords. This goal is essential in preventing cyber threats that can be caused by weak passwords or password compromise.

The publication of these IT SSGs is a significant step towards enhancing cybersecurity in the IT sector. By providing voluntary practices with high-impact security actions, CISA is enabling organizations to take a proactive approach to cybersecurity and protect against cyber threats. As the threat landscape continues to evolve, the adoption of these goals will be critical in ensuring the security and integrity of software development and product design.

In conclusion, the IT SSGs published by CISA are a crucial step towards enhancing cybersecurity in the IT sector. By providing specific guidance for software development and product design, these goals will help organizations protect against cyber threats and ensure the security and integrity of their products and services. As the IT sector continues to evolve, the adoption of these goals will be essential in maintaining a secure and resilient cyber environment.