References (28)

TD  MFA by Default, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to enable multi-factor authentication (MFA) by default for all users and administrators upon first registration, across all of its product and service offerings.
ID	TD_MFAbyDefault
Provider Reference

TD  MFA Reminders, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to implement user prompts or reminders to encourage adoption of multi-factor authentication (MFA), e.g., through seat belt chimes, banners, interstitials, etc., across all of its product and service offerings.
ID	TD_MFAReminders
Provider Reference

TD  Support for Standards-Based SSO, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to support single sign-on (SSO) configurations that are standards-based (e.g., using SAML or OpenID Connect) and that enable multi-factor authentication (MFA) through customers' identity providers, across all of its product and service offerings.
ID	TD_SupportforStandardsBasedSSO
Provider Reference

TD  Publication of MFA Adoption Statistics, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to periodically publish aggregate statistics on the adoption of multi-factor authentication (MFA) within its products and services, categorized by user type and MFA method.
ID	TD_PublicationofMFAAdoptionStatistics
Provider Reference

TD  Phishing-Resistant MFA for Admin Accounts, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to prioritize adoption of phishing-resistant multi-factor authentication (MFA) for administrative accounts, across all of its product and service offerings.
ID	TD_PhishingResistantMFAforAdminAccounts
Provider Reference

TD  Random Instance-Unique Initial Passwords, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to provide random, instance-unique initial passwords for each product installation, across all of its product and service offerings.
ID	TD_RandomInstanceUniqueInitialPasswords
Provider Reference

TD  Strong Password Creation During Installation, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to require users to create a strong password during initial product installation and configuration, across all of its product and service offerings.
ID	TD_StrongPasswordCreationDuringInstallation
Provider Reference

TD  Limited-Use Setup Passwords, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to use time-limited setup passwords that auto-disable after configuration completion, across all of its product and service offerings.
ID	TD_LimitedUseSetupPasswords
Provider Reference

TD  Transition Away from Default Passwords, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to take steps to transition all of its existing product and service deployments away from default passwords through outreach campaigns or software updates.
ID	TD_TransitionAwayfromDefaultPasswords
Provider Reference

TD  Publication of Default Password Usage Statistics, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to periodically publish statistics on its products that are still using default passwords, as well as progress of customer efforts to migrate away from default passwords.
ID	TD_PublicationofDefaultPasswordUsageStatistics
Provider Reference

TD  Prevention of SQL Injection Attacks, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to enforce use of parameterized database queries to prevent SQL injection attacks, across all of its product and service offerings.
ID	TD_PreventionofSQLInjectionAttacks
Provider Reference

TD  Web Template Frameworks with XSS Protections, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to adopt web template frameworks with built-in cross-site scripting (XSS) protections, across all of its product and service offerings.
ID	TD_WebTemplateFrameworkswithXSSProtections
Provider Reference

TD  Memory-Safety Roadmap, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to develop and implement an organizational memory-safety roadmap to transition all of its product and service offerings to memory-safe languages.
ID	TD_MemorySafetyRoadmap
Provider Reference

TD  Secure-by-Default Libraries, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to provide its product developers with secure-by-default libraries and functions that eliminate common classes of vulnerabilities.
ID	TD_SecurebyDefaultLibraries
Provider Reference

TD  Publication of CVE Root Cause Analyses, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to publish root-cause analyses of common vulnerabilities and exposures (CVEs), across all of its product and service offerings.
ID	TD_PublicationofCVERootCauseAnalyses
Provider Reference

TD  Auto-Installation of Software Patches, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to enable automatic installation of software patches by default where appropriate, across all of its product and service offerings.
ID	TD_AutoInstallationofSoftwarePatches
Provider Reference

TD  Clear Communication Regarding Product End-of-Life, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to clearly communicate end-of-life (EOL) timelines and offer transition support or guidance for unsupported products, across all of its product and service offerings.
ID	TD_ClearCommunicationRegardingProductEndofLife
Provider Reference

TD  Direct Application of Patches for SaaS and Cloud Offerings, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to apply patches directly for all of its cloud-based and Software-as-a-Service (SaaS) product and service offerings without requiring customer action.
ID	TD_DirectApplicationofPatchesforSaaSandCloudOfferings
Provider Reference

TD  Publication of Patch Adoption Rates, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to publish patch adoption rates by product version over time, across all of its product and service offerings.
ID	TD_PublicationofPatchAdoptionRates
Provider Reference

TD  Publication of VDP Authorizing Public Product Testing, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to publish a vulnerability disclosure policy (VDP) that authorizes public testing of its products and services, and prohibits legal action against good-faith researchers who engage in such testing.
ID	TD_PublicationofVDPAuthorizingPublicProductTesting
Provider Reference

TD  Vulnerability Reporting Channel and Public Disclosure, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to provide a clear vulnerability reporting channel for its products and services, and also allow public disclosure of discovered vulnerabilities as per coordinated disclosure standards.
ID	TD_VulnerabilityReportingChannelandPublicDisclosure
Provider Reference

TD  Machine-Readable VDP, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to implement a machine-readable vulnerability disclosure policy (VDP), e.g., in a 'security.txt' file, for accessibility by vulnerability researchers.
ID	TD_MachineReadableVDP
Provider Reference

TD  Inclusion of Accurate CWE and CPE in CVE Notices, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to include accurate common weakness enumeration (CWE) and common platform enumeration (CPE) fields in every common vulnerability and exposure (CVE) record that it publishes about its products and services.
ID	TD_InclusionofAccurateCWEandCPEinCVENotices
Provider Reference

TD  Prompt Issuance of CVE Notices for Critical Vulnerabilities, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to issue common vulnerability and exposure (CVE) notices promptly for all critical/high-impact vulnerabilities requiring customer action or under active exploitation, for all of its product and service offerings.
ID	TD_PromptIssuanceofCVENoticesforCriticalVulnerabilities
Provider Reference

TD  Publication of CVE Issuance Policy, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to publicly document its common vulnerability and exposure (CVE) issuance policies and also encourage CVE filing for lower-severity vulnerabilities.
ID	TD_PublicationofCVEIssuancePolicy
Provider Reference

TD  Baseline Logging for Configuration Changes and Access Events, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to provide baseline logging for configuration changes, identity, network, and data access events, across all of its product and service offerings.
ID	TD_BaselineLoggingforConfigurationChangesandAccessEvents
Provider Reference

TD  Reasonable Retention of Logs at No Extra Cost, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to retain logs for a reasonable period (e.g., 6 months) at no extra cost for all of its cloud-based or Software-as-a-Service (SaaS) product and service offerings.
ID	TD_ReasonableRetentionofLogsatNoExtraCost
Provider Reference

TD  Publication of Supplemental Monitoring Guidance, v1.0
Description	Specifies requirements in accordance with the DHS CISA Secure-by-Design Pledge, published by the U.S. Dept of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA). Requires an organization to publish monitoring guidance for products that lack a cybersecurity incident logging capability, across all of its product and service offerings.
ID	TD_PublicationofSupplementalMonitoringGuidance
Provider Reference

Sources (1)