Request for Comment on Product Security Bad Practices Guidance

<NOTICE> DEPARTMENT OF HOMELAND SECURITY <DEPDOC>[Docket No. CISA-2024-0028]</DEPDOC> <SUBJECT>Request for Comment on Product Security Bad Practices Guidance</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS). <HD SOURCE="HED">ACTION:</HD> Notice of availability; extension of comment period. <SUM> <HD SOURCE="HED">SUMMARY:</HD> On October 16, 2024, the Cybersecurity Division (CSD) within the Cybersecurity and Infrastructure Security Agency (CISA) published a request for comment in the <E T="04">Federal Register</E> on the voluntary, draft Product Security Bad Practices guidance, which requests feedback on the draft guidance. CISA is extending the comment period for the draft guidance for an additional fourteen days through December 16, 2024. </SUM> <DATES> <HD SOURCE="HED">DATES:</HD> The comment period for the proposed voluntary guidance published on October 16, 2024, at 89 FR 83508 is extended. Comments and related materials must be submitted on or before December 16, 2024. </DATES> <HD SOURCE="HED">ADDRESSES:</HD> You may submit comments, identified by docket number CISA-2024-0028, by following the instructions below for submitting comments via the Federal eRulemaking Portal at <E T="03">https://www.regulations.gov.</E> <E T="03">Instructions:</E> All comments received must include the agency name and docket number Docket Number CISA-2024-0028. All comments received will be posted without change to <E T="03">http://www.regulations.gov,</E> including any personal information provided. CISA reserves the right to publicly republish relevant and unedited comments in their entirety that are submitted to the docket. Do not include personal information such as account numbers, social security numbers, or the names of other individuals. Do not submit confidential business information or otherwise sensitive or protected information. <E T="03">Docket:</E> For access to the docket to read the draft Product Security Bad Practices Guidance or comments received, go to <E T="03">https://www.regulations.gov.</E> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Kirk Lawrence, 202-617-0036, <E T="03">SecureByDesign@cisa.dhs.gov.</E> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> On October 16, 2024, CISA published a request for comment on voluntary, draft Product Security Bad Practices guidance (89 FR 83508). In the draft guidance, we provided an overview of product security practices that are deemed exceptionally risky, particularly for organizations supporting critical infrastructure or national critical functions (NCFs), and it provides recommendations for software manufacturers to voluntarily mitigate these risks. The guidance contained in the document is non-binding, and while CISA encourages organizations to avoid these bad practices, the document imposes no requirement on them to do so. The draft guidance is scoped to software manufacturers who develop software products and services, including on-premises software, cloud services, and software as a service (SaaS), used in support of critical infrastructure or NCFs. The request for comment provided for a 45-day comment period, set to close on December 2, 2024. CISA received requests to extend the deadline given the Thanksgiving holiday. Therefore, the comment period is now open through December 16, 2024. This notice is issued under the authority of 6 U.S.C. 652 and 659. <SIG> <NAME>Jeffrey E. Greene,</NAME> Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security. </SIG> </SUPLINF> <FRDOC>[FR Doc. 2024-25078 Filed 10-28-24; 8:45 am]</FRDOC> </NOTICE>