The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with other federal agencies, has released a comprehensive report urging a national effort to better understand the behavior of software underpinning critical infrastructure and national security systems.
The report, titled “Closing the Software Understanding Gap,” highlights the pressing need for policy action, technical innovation, and resources to help system owners and operators better construct and assess their software-controlled systems across all conditions – normal, abnormal, and hostile.
Neal Ziring, NSA Research Technical Director, emphasized the importance of this initiative, stating, “A lack of understanding of software imposes risks on many critical systems that are dependent on software to run properly and as intended.”
NSA Research Technical Director further added that the report serves as a national call for government and private sectors to collaborate in prioritizing software understanding as a critical national effort.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Technical Analysis
CISA Director Jen Easterly emphasized the importance of these recommendations, stating, “The IT SSGs help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware.”
The agency has also launched a new program called ‘Vulnrichment’ to address challenges in the National Vulnerability Database (NVD). This program focuses on adding metadata to Common Vulnerabilities and Exposures (CVEs), including Common Platform Enumeration (CPE) numbers, Common Vulnerability Scoring System (CVSS) scores, and Known Exploited Vulnerabilities (KEV) entries.
The report outlines several key recommendations:-
- Separating software development environments using controls like network segmentation and access controls.
- Implementing regular logging, monitoring, and trust reviews for authorization across development environments.
- Requiring multi-factor authentication for accessing all software development processes.
- Establishing security protocols for software used in the development process.
- Storing sensitive data and credentials through encryption instead of in source code.
- Creating a software supply chain risk management plan.
These initiatives align with CISA’s broader Secure by Design principles, which aim to shift the burden of security from end-users back to manufacturers.
By implementing these recommendations, organizations can significantly improve their cybersecurity posture and better protect critical infrastructure and national security systems.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar