CISA’s Secure by design
CISA’s global Secure by Design initiative, launched last year, implements the White House’s National Cybersecurity Strategy by shifting the cybersecurity burden away from end users and individuals to technology manufacturers who are most able to bear it. CISA urges software manufacturers to review CISA’s Secure by Design guidance and Secure by Design alerts to build security into their products. Till date, nearly 160 software companies have signed Federal Secure by design
The seven goals of the pledge are:
1)Multi-factor authentication (MFA). Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
2) Default passwords. Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
3) Reducing entire classes of vulnerability. Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
4)Security patches. Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
5) Vulnerability disclosure policy. Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
6) CVEs. Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
7) Evidence of intrusions. Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
#CISA #Security #design #pledge
https://lnkd.in/g_YXtnc4