A Shot Across the Bow for Software Manufacturers Refusing to Prioritize Security

Overview: CISA and FBI Release Joint Guidance on Product Security Bad Practices

Today, CISA and the FBI issued a public bulletin outlining "Product Security Bad Practices," targeting software manufacturers that serve critical infrastructure and national critical functions (NCFs). While this guidance isn’t a final law—it’s open for public comment until December 2, 2024—it signals an urgent call to action.

This is not a suggestion—it’s a warning shot to the software industry, particularly large manufacturers that have ignored the need for secure development. It reflects the growing pressure to make software security a non-negotiable requirement. CISA’s guidance aligns with the Secure by Design initiative, urging manufacturers to prioritize security at every stage of development to reduce customer risk.

Key Areas of Concern: What This Guidance Covers

The CISA-FBI joint bulletin identifies bad practices that are exceptionally risky and provides recommended actions. It divides bad practices into three critical areas:

1. Development Environments: Development using memory-unsafe languages (like C or C++) without a transition roadmap. Use of SQL injection-prone queries and command injection vulnerabilities.
2. Security Features: Lack of Multi-Factor Authentication (MFA), especially for admin accounts. Lack of access to logs without requiring additional subscription fees (one of the more notable highlights).
3. Organizational Processes and Policies: Failure to publish timely CVEs for high-impact vulnerabilities. Absence of a vulnerability disclosure policy (VDP) to enable responsible reporting by researchers.

The bulletin is open for public comment but make no mistake—this will influence the future regulatory landscape. Members of the public have until December 2, 2024, to provide feedback.

Why This Bulletin Matters: Building a Foundation for Future Lawsuits

This guidance is more than just a recommendation; it lays the legal and moral groundwork for future litigation. Courts often look to government guidance when assessing negligence and liability, and this document could become a powerful reference in lawsuits against manufacturers that fail to adopt secure practices.

Historically, government reports like the Surgeon General's warning on smoking (1964) became a catalyst for lawsuits that reshaped entire industries. This CISA bulletin could serve a similar role—outlining what constitutes negligent software development. Failing to comply with these recommendations could expose software vendors to product liability lawsuits and class actions, especially if their software is linked to a breach involving critical infrastructure.

T&Cs Won’t Save You: The End of Waiving Accountability

For years, software manufacturers have relied on terms and conditions (T&Cs) to limit their liability, placing the burden of risk on consumers. But CISA’s guidance is changing the narrative. When a product designed for critical infrastructure lacks basic security—like MFA or timely patching—courts may no longer accept T&Cs as a shield against liability.

Just as car manufacturers couldn’t rely on waivers to avoid responsibility for defective airbags, software manufacturers may soon face similar scrutiny. This guidance lays the foundation for gross negligence claims, where the existence of CISA’s recommendations will undermine any defense based on T&Cs.

Future Litigation Scenarios: What We Can Expect

Here’s how this bulletin could serve as the legal bedrock for future lawsuits:

1. Breach Due to Known Exploited Vulnerability (KEV): A critical infrastructure organization is compromised due to an unpatched KEV-listed vulnerability. Claim: Plaintiffs argue the software vendor acted negligently by not patching within 30 days as outlined in CISA’s guidance.
2. Class Action for MFA Neglect: A cloud service provider suffers a breach involving admin access that lacked mandatory MFA. Claim: The vendor is accused of gross negligence for failing to enforce MFA, despite CISA’s explicit recommendation.
3. Subscription Lockout for Security Logs: An organization loses critical evidence after an attack because they couldn’t access their logs without paying for an upgraded subscription. Claim: Plaintiffs argue the vendor engaged in unfair practices by making logging capabilities inaccessible—a violation of the security baseline defined in the CISA bulletin.

Conclusion: Secure by Design—Or Prepare for Court Battles

This joint guidance is CISA’s shot across the bow, warning software manufacturers that the days of half-measures are over. It defines reasonable security practices and sets a clear expectation for how software serving critical infrastructure should be developed and maintained. Manufacturers that ignore this guidance do so at their own risk—not just to their reputation, but to their legal standing.

Like the Surgeon General’s warning on smoking, this bulletin creates a public record of negligence for future lawsuits. It signals that secure software is now a public safety issue, and manufacturers must either comply with these expectations or face accountability in court.

The comment period closes December 2, 2024—but the legal consequences will be felt long after. For software manufacturers, the choice is simple: embrace Secure by Design, or prepare to fight lawsuits in a courtroom near you.

Thank you for reading. Stay vigilant and demand accountability—whether it’s your car, your medicine, or your software.