CISA Unveils New Objectives to Enhance IT Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) is urging software developers across the IT and product design sectors to adopt enhanced cybersecurity measures. In a recent announcement, CISA advocated for isolating development environments with network segmentation and access controls, rigorously monitoring trust relationships, and implementing supply chain risk management aligned with specific IT goals.

On January 7, 2025, CISA released voluntary cybersecurity performance targets designed to provide baseline standards for enhancing cyber hygiene and mitigating risks for developers across critical infrastructure sectors. They emphasize the importance of incorporating CISA’s Secure by Design principles, which includes enforcing phishing-resistant multi-factor authentication, imposing stringent security protocols for software tools, and securely encrypting sensitive data and credentials.

Scott Algeier, the executive director of the Information Technology – Information Sharing and Analysis Center, remarked that many of these practices have been established in the industry for years, particularly in the domain of secure code development. He cautioned that while achieving these goals is important, organizations often need to prioritize strategies based on their resource constraints.

CISA’s initiative has been proactive in the past two years, actively urging technology manufacturers to integrate cybersecurity into their product development processes. This includes publishing clear vulnerability disclosure policies and ensuring transparent reporting mechanisms. As of last year, a minimum of 68 technology firms pledged to adhere to CISA’s Secure by Design commitments, which include key enhancements like adopting multifactor authentication and addressing known security vulnerabilities.

The agency’s latest guidance details essential steps intended to ensure compliance with these principles, including making software bills of materials (SBOMs) accessible to all customers. While acknowledging the challenges associated with implementing such recommendations due to high costs and complexity, CISA emphasized their critical role in bolstering cybersecurity resilience.

In light of CISA’s recent advisory, cyber professionals must recognize the potential tactics outlined in the MITRE ATT&CK framework that could be employed by adversaries targeting software and product development environments. Relevant tactics could include Initial Access through exploitation of vulnerabilities, Persistence by establishing backdoors, and Privilege Escalation to gain higher-level user permissions, which can compromise the overall integrity of systems.

In October, CISA, in collaboration with the FBI, issued warnings regarding the dangers associated with utilizing memory-unsafe programming languages in new product lines, underscoring the implications for national security and critical infrastructure. Director Jen Easterly remarked that these new sector-specific goals empower organizations to significantly enhance cybersecurity in both software and hardware design and development, urging all stakeholders to review and implement these critical standards to protect the supply chain and ultimately the consumer.