CISA Announces Secure by Design Commitments from Leading Technology Providers

CISA has announced voluntary commitments by 68 of the world’s leading software manufacturers to CISA’s Secure by Design pledge to design products with greater security built in.
“More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation. I am glad to see leading software manufacturers recognize this by joining us at CISA to build a future that is more secure by design,” CISA Director Jen Easterly said. “I applaud the companies who have already signed our pledge for their leadership and call on all software manufacturers to take the pledge and join us in creating a world where technology is safe and secure right out of the box.”
A list of the 68 companies, including leading software manufacturers, participating in the pledge can be found at the Secure by Design Pledge page, and statements of support for the pledge can be read here.
By catalyzing action by some of the largest technology manufacturers, the Secure by Design pledge marks a major milestone in CISA’s Secure by Design initiative. Participating software manufacturers are pledging to work over the next year to demonstrate measurable progress towards seven concrete goals. Collectively, these commitments will help protect Americans by securing the technology that our critical infrastructure relies on.
“A more secure by design future is indeed possible. The items in the pledge directly address some of the most pervasive cybersecurity threats we at CISA see today, and by taking the pledge software manufacturers are helping raise our national cybersecurity baseline,” CISA Senior Technical Advisor Jack Cable said. “Every software manufacturer should recognize that they have a responsibility to protect their customers, contributing to our national and economic security. I appreciate the leadership of those who signed on and hope that every technology manufacturer will follow suit.”
The seven goals of the pledge are:
– Multi-factor authentication (MFA). Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
– Default passwords. Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
– Reducing entire classes of vulnerability. Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
– Security patches. Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
– Vulnerability disclosure policy. Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
– CVEs. Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
– Evidence of intrusions. Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
Each goal has core criteria which manufacturers are committing to work towards, in addition to context and example approaches to achieve the goal and demonstrate measurable progress. To enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal, but progress should be demonstrated in public.
CISA’s global Secure by Design initiative, launched last year, implements the White House’s National Cybersecurity Strategy by shifting the cybersecurity burden away from end users and individuals to technology manufacturers who are most able to bear it. CISA urges software manufacturers to review CISA’s Secure by Design guidance and Secure by Design alerts to build security into their products.

Leave a Reply