News

CISA Outlines Cybersecurity Goals in 3-Year Plan

• By Kurt Mackie
• August 04, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) described a "Strategic Plan" for cybersecurity over the next three years, per a Friday announcement.

The plan stressed collaboration, and included steps for industry to implement. CISA typically advises federal government agencies, but the plan was directed toward organizations more generally. Much of the plan focused on what "technology providers" should do to improve security.

The implications for technology providers are most clearly expressed in the document's "Goal 3" section. Here, CISA reiterated its general exhortations that technology products need to be secure upon product release.

As a society, we can no longer accept a model where every technology product is vulnerable the moment it is released and where the overwhelming burden for security lies with individual organizations and users. Technology should be designed, developed, and tested to minimize the number of exploitable flaws before they are introduced to the market.

Technology providers need to "build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency when known weaknesses are present in software, hardware, systems, and supply chains," the document added.

Goals for Technology Providers
CISA's document appears to lay out as steps for software and device makers to implement in its "Goal 3" section.

Per a "measurement of effectiveness" segment (p. 21), CISA wants technology providers to:

• Publish "detailed threat models" showing where product protections are needed.
• Attest that they are meeting the controls specified in NIST's Secure Software Development Framework (SSDF).
• Publicize that their product's common vulnerabilities and exposures (CVEs) "entries are correct and complete."
• Publish "secure-by-design" roadmaps, "including how the provider is making changes to their software development processes, measuring defect rates, and setting goals for improvement, and transitioning to memory-safe programming languages."
• Publish "security-relevant statistics and trends, such as MFA [multifactor authentication] adoption, use of unsafe legacy protocols, and the percentage of customers using unsupported product versions."

Voluntary Reporting, for Now
CISA's "Strategic Plan" document stressed "shared efforts" toward shoring up cybersecurity. CISA wants technology providers to publish security-relevant statistics so that it can take a "data-driven approach" toward identifying practices that are subject to attacks.

However, CISA also added that it will "take steps to advance transparency, including through adoption of Software Bills of Materials and rigorous vulnerability disclosure practices."

One effort to advance transparency is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was passed last year by the Biden administration, per this CISA document. It currently encourages voluntary reporting by organizations about cybersecurity incidents, but it will be "supplemented by mandatory reporting" in future years. The mandatory reporting will take effect when a Final Rule is implemented. The timing for that implementation is vague as CISA must first issue a Notice of Proposed Rulemaking, according to the document.

CISA isn't planning to supplant or duplicate commercial cybersecurity capabilities, but it will provide capabilities for federal civilian executive branch agencies and resource-poor targeted organizations. It plans to assess cybersecurity generally using "commercial Attack Surface Management and similar capabilities."

CISA added that "only when no viable capabilities exist in the commercial market will we consider developing an in-house capability."

Top Vulnerabilities
Also this week, CISA announced publication of the "2022 Top Routinely Exploited Vulnerabilities," in conjunction with other international cybersecurity agencies. This publication has recommendations for "vendors, designers, developers, and end-user organizations" to implement, including SSDF and secure-by-design principles.

CISA's top 2022 list was based on the CVEs that were "routinely and frequently exploited by malicious cyber actors in 2022." It included vulnerabilities found in software by Fortinet, Microsoft, Zoho, Atlassian, VMware, F5 and more.

However, Microsoft appeared to be the vendor that was most frequently found to have its software vulnerabilities exploited in 2022, per CISA's list.