CR filed comments with the Cybersecurity and Infrastructure Security Agency in support of the agency’s recently released “Product Security Bad Practices” guidance. CR suggested targeted improvements to a number of the recommendations, and urged the agency to specifically call out vendors who charge customers a premium for fundamental, legally mandated security support. CR argued that software as a service providers should be required at least nine basic protections to ensure customers have the capacity to meet modern cybersecurity standards.
- Include support for multi-factor authentication (MFA).
- Include an admin mechanism to require all users to have MFA enabled.
- Require support for social sign-on (SSO) integration via protocols such as SAML, with the ability for administrators to remove users and groups.
- Provide basic role-based access control to split administrative functions from those normal users have.
- Provide an audit trail within the application so administrators can identify actions taken by users, that should be retained for 365 days.
- Provide a mechanism for forced logout, allowing admins to force users to log out of networks or to revoke their access, in case their account has been compromised, but without deleting the user altogether.
- Allow administrators to set password complexity policies (such as password length) to resist brute force attacks.
- Provide encryption in transit (TLS).
- Allow administrators to destroy data or have a data destruction policy.