Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · REGISTER · 2024-10-16 · Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS) · Notices

Notices. Notice of availability; request for comment

834 words·~4 min read·/register/2024/10/16/2024-23869·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

BILLING CODE 4140-01-P DEPARTMENT OF HOMELAND SECURITY [Docket No. CISA-2024-0028] Request for Comment on Product Security Bad Practices Guidance AGENCY: Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS). ACTION: Notice of availability; request for comment. SUMMARY: The Cybersecurity Division
(CSD)within the Cybersecurity and Infrastructure Security Agency
(CISA)requests feedback on draft Product Security Bad Practices guidance. Additionally, CISA requests input on analysis or approaches currently absent from the guidance. DATES: Written comments are requested on or before December 2, 2024. Submissions received after the deadline for receiving comments may not be considered. ADDRESSES: You may submit comments, identified by docket number CISA-2024-0028, by following the instructions below for submitting comments via the Federal eRulemaking Portal at *http://www.regulations.gov.* *Instructions:* All comments received must include the agency name and docket number Docket Number CISA-2024-0028. All comments received will be posted without change to *http://www.regulations.gov,* including any personal information provided. CISA reserves the right to publicly republish relevant and unedited comments in their entirety that are submitted to the docket. Do not include personal information such as account numbers, social security numbers, or the names of other individuals. Do not submit confidential business information or otherwise sensitive or protected information. *Docket:* For access to the docket to read the draft Product Security Bad Practices Guidance or comments received, go to *http://www.regulations.gov.* FOR FURTHER INFORMATION CONTACT: Kirk Lawrence; 202-617-0036; *SecureByDesign@cisa.dhs.gov.* SUPPLEMENTARY INFORMATION: I. Public Participation Interested persons are invited to comment on this notice by submitting written data, views, or arguments using the method identified in the aforementioned ADDRESSES section. All members of the public including, but not limited to, specialists in the field, academic experts, members of industry, public interest groups, and those with relevant economic expertise are invited to comment. II. Background In line with CISA's Secure by Design initiative, software manufacturers should ensure security is a core consideration from the onset of software development. CISA's draft, voluntary Product Security Bad Practices guidance provides an overview of product security practices that are deemed exceptionally risky, particularly for organizations supporting critical infrastructure or national critical functions (NCFs), and it provides recommendations for software manufacturers to voluntarily mitigate these risks. The guidance contained in the document is non-binding, and while CISA encourages organizations to avoid these bad practices, the document imposes no requirement on them to do so. The draft guidance is scoped to software manufacturers who develop software products and services, including on-premises software, cloud services, and software as a service (SaaS), used in support of critical infrastructure or NCFs. By choosing to follow the recommendations in the draft guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key secure by design principle. CISA strongly encourage all software manufacturers to avoid the product security bad practices included in the Product Security Bad Practices guidance. The Product Security Bad Practices guidance is co-sealed with the Federal Bureau of Investigation. III. List of Topics for Commenters CISA seeks comments on the draft Product Security Bad Practices guidance, in the following three categories. Note: the categories are explained in detail in the draft guidance itself, available at *https://www.cisa.gov/resources-tools/resources/product-security-bad-practices.* 1. Product properties, which describe the observable security-related qualities of a software product itself. Listed bad practices are: a. A new product line is developed using a memory unsafe language or the manufacturer does not publish a memory safety roadmap by January 1, 2026. b. The product includes user-provided input directly in the raw contents of a SQL database query string. c. The product includes user-provided input directly in the raw contents of an operating system command string. d. The product includes default passwords. e. The product contains, at the time of release, a component with an exploitable vulnerability present on CISA's Known Exploited Vulnerabilities
(KEV)Catalog. f. The product uses open-source software components that have critical known exploitable vulnerabilities. 1 1 A critical vulnerability is one that has an Attack Vector of “network,” Privileges Required of “None,” does not require user interaction, and has a “high” impact on at least two of the Confidentiality, Integrity, and Availability loss vectors. 2. Security features, which describe the security functionalities that a product supports. Listed bad practices are: a. The baseline version of the product does not support multi-factor authentication. b. The baseline version of the product does not make audit logs available. 3. Organizational processes and policies, which describe actions taken by a software manufacturer to ensure strong transparency in its approach to security. Listed bad practices are: a. The organization fails to publish Common Vulnerabilities and Exposures
(CVEs)with Common Weakness Enumerations
(CWEs)in a timely manner (or at all). b. The organization fails to publish a vulnerability disclosure policy. CISA also welcomes comments on other areas or approaches currently absent from the guidance. This notice is issued under the authority of 6 U.S.C. 652 and 659. Jeffrey E. Greene, Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security. [FR Doc. 2024-23869 Filed 10-15-24; 8:45 am]
Connectionstraces to 1
Citation graph
cites case law
Notices
Notice of availability; request for comment
U.S.C.§ 652
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.