Last week, CISA released an update to the joint guidance “Product Security Bad Practices,” originally released in October last year. This guidance gives an overview of exceptionally risky product security practices for software manufacturers who produce software in support of critical infrastructure or national critical functions.

The bad practices are divided into three categories:

1. Product properties, which describe the observable, security-related qualities of a software product.
2. Security features, which describe the security functionalities that a product supports.
3. Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.

While this guidance is intended for software manufacturers, members are encouraged to utilize CISA’s Secure by Demand guidance which outlines the important role that software customers play in driving a secure technology ecosystem. Identifying and buying the products that are the most secure will not only make your utility less of a target, but will also encourage manufacturers to create secure products. As your utility incorporates Fundamental 11: Secure the Supply Chain, one of WaterISAC’s 12 Cybersecurity Fundamentals, consider including these bad practices as you vet your current and future software providers. Access the full guidance at CISA.