Skip to content

CISA recommendations

This document is intended for software manufacturers who develop software products and services—including on-premises software, cloud services, and software as a service (SaaS)—used in support of critical infrastructure or NCFs. The authoring organizations strongly encourage all software manufacturers to avoid these product security bad practices. By following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key Secure by Design principle. The guidance contained in this document is non-binding and while CISA encourages organizations to avoid these bad practices, this document imposes no requirement on them to do so.

The bad practices are divided into three categories.

  1. Product properties, which describe the observable, security-related qualities of a software product.
  2. Security features, which describe the security functionalities that a product supports.
  3. Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.

This is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). Physical products such as IoT devices and consumer products are not scoped in the pledge, though companies who wish to demonstrate progress in those areas are welcome to do so.

By participating in the pledge, software manufacturers are pledging to make a good-faith effort to work towards the goals listed below over the following year. In the case where a software manufacturer is able to make measurable progress towards a goal, the manufacturer should publicly document how they have achieved such progress within one year of signing the pledge. Where the software manufacturer is not able to make measurable progress, the manufacturer is encouraged to, within one year of signing the pledge, share with CISA how the manufacturer has worked towards the goal and any challenges faced. And, in the spirit of radical transparency, the manufacturer is encouraged to publicly document their approach so that others can learn. This pledge is voluntary and not legally binding.

The pledge is structured with seven goals. Each goal has the core criteria which manufacturers are pledging to work towards, in addition to context and example approaches to achieve the goal and demonstrate measurable progress. To enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal. Demonstrating measurable progress across the manufacturer’s products can take a variety of forms — such as by taking action on all the manufacturer’s products, or by choosing a set of products to first address and publishing a roadmap for other products.

This guide builds on The Case for Memory Safe Roadmaps by providing a starting point for software manufacturers to create memory safe roadmaps, including plans to address memory safety in external dependencies which commonly include OSS. Exploring Memory Safety in Critical Open Source Projects also aligns with the 2023 National Cybersecurity Strategy and corresponding implementation plan, which discusses investing in memory safety and collaborating with the open source community—including the establishment of the interagency Open Source Software Security Initiative (OS3I) and investment in memory-safe programming languages.

#security #saas

Page last modified: 2024-11-13 09:17:00