News

CISA Outlines Cybersecurity Goals in 3-Year Plan

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) described a "Strategic Plan" for cybersecurity over the next three years, per a Friday announcement.

The plan stressed collaboration, and included steps for industry to implement. CISA typically advises federal government agencies, but the plan was directed toward organizations more generally. Much of the plan focused on what "technology providers" should do to improve security.

The implications for technology providers are most clearly expressed in the document's "Goal 3" section. Here, CISA reiterated its general exhortations that technology products need to be secure upon product release.

As a society, we can no longer accept a model where every technology product is vulnerable the moment it is released and where the overwhelming burden for security lies with individual organizations and users. Technology should be designed, developed, and tested to minimize the number of exploitable flaws before they are introduced to the market.

Technology providers need to "build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency when known weaknesses are present in software, hardware, systems, and supply chains," the document added.

Goals for Technology Providers
CISA's document appears to lay out as steps for software and device makers to implement in its "Goal 3" section.

Per a "measurement of effectiveness" segment (p. 21), CISA wants technology providers to:

  • Publish "detailed threat models" showing where product protections are needed.
  • Attest that they are meeting the controls specified in NIST's Secure Software Development Framework (SSDF).
  • Publicize that their product's common vulnerabilities and exposures (CVEs) "entries are correct and complete."
  • Publish "secure-by-design" roadmaps, "including how the provider is making changes to their software development processes, measuring defect rates, and setting goals for improvement, and transitioning to memory-safe programming languages."
  • Publish "security-relevant statistics and trends, such as MFA [multifactor authentication] adoption, use of unsafe legacy protocols, and the percentage of customers using unsupported product versions."

Voluntary Reporting, for Now
CISA's "Strategic Plan" document stressed "shared efforts" toward shoring up cybersecurity. CISA wants technology providers to publish security-relevant statistics so that it can take a "data-driven approach" toward identifying practices that are subject to attacks.

However, CISA also added that it will "take steps to advance transparency, including through adoption of Software Bills of Materials and rigorous vulnerability disclosure practices."

One effort to advance transparency is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was passed last year by the Biden administration, per this CISA document. It currently encourages voluntary reporting by organizations about cybersecurity incidents, but it will be "supplemented by mandatory reporting" in future years. The mandatory reporting will take effect when a Final Rule is implemented. The timing for that implementation is vague as CISA must first issue a Notice of Proposed Rulemaking, according to the document.

CISA isn't planning to supplant or duplicate commercial cybersecurity capabilities, but it will provide capabilities for federal civilian executive branch agencies and resource-poor targeted organizations. It plans to assess cybersecurity generally using "commercial Attack Surface Management and similar capabilities."

CISA added that "only when no viable capabilities exist in the commercial market will we consider developing an in-house capability."

Top Vulnerabilities
Also this week, CISA announced publication of the "2022 Top Routinely Exploited Vulnerabilities," in conjunction with other international cybersecurity agencies. This publication has recommendations for "vendors, designers, developers, and end-user organizations" to implement, including SSDF and secure-by-design principles.

CISA's top 2022 list was based on the CVEs that were "routinely and frequently exploited by malicious cyber actors in 2022." It included vulnerabilities found in software by Fortinet, Microsoft, Zoho, Atlassian, VMware, F5 and more.

However, Microsoft appeared to be the vendor that was most frequently found to have its software vulnerabilities exploited in 2022, per CISA's list.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.