Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released joint guidance on Product Security Bad Practices, a part of CISA’s Secure by Design initiative. This joint guidance supplies an overview of exceptionally risky product security bad practices for software manufacturers who produce software in support of critical infrastructure or national critical functions. 

The bad practices presented in this guidance are organized into three categories: product properties, security features, and organizational processes and policies. This guidance contains brief information about specific bad practices, recommended actions, and additional resources. While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices. 

CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA.gov/SecureByDesign.

The public comment period begins today and concludes on December 2, 2024. During the comment period, members of the public can provide comments and feedback via the Federal Register.