Software

CISA secure-by-design pledge endorsed by dozens of major tech and cybersecurity firms

A slew of notable tech firms have signed a CISA pledge to make products secure by design, but it isn’t legally binding.
article cover

Francis Scialabba

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Dozens of tech firms have volunteered to sign a secure-by-design pledge endorsed by the Cybersecurity and Infrastructure Security Agency (CISA), according to CIO Dive.

Companies that have signed on to the CISA initiative include Amazon Web Services, Google, and Microsoft, as well as a large number of cybersecurity firms. The Register reported the signatories announced their commitment at the RSA Conference 2024, with the expectation being that the 68 companies will share their progress on the pledge at the 2025 edition of the conference.

The pledge is entirely voluntary, isn’t legally binding, and CISA has no enforcement mechanism if the firms don’t follow through. Still, it includes a wide range of best practices signatories agree to adopt. Those include expanding multi-factor authentication across their products, reducing the use of default passwords, and demonstrating “actions taken toward enabling a significant measurable reduction of one or more vulnerability classes,” according to the text of the pledge.

Other commitments in the pledge include taking steps to encourage customers to patch their products, adopting a vulnerability disclosure policy that doesn’t punish white-hat hackers operating in good faith, and ensuring transparency around vulnerability reporting and evidence of breaches or intrusions.

“Our goal for the entire community is to shift the security burden from individuals and small businesses—in other words, end users whose business is not a technology development effort or cybersecurity—to technology manufacturers whose business it is, and who are in the best position to address and manage security risks from the start,” CISA director Jen Easterly said during the signing of the pledge, The Register wrote.

Encouraging secure-by-design principles has been one of CISA’s major talking points, although it’s less concrete than recent developments like the mandatory federal reporting requirements for critical infrastructure entities or the CISA-operated ransomware vulnerability warning program.

Katell Thielemann, a Gartner VP distinguished analyst, told CSO Online the pledge was not likely to result in industry-wide change or become a driving force in how CISOs at signatory firms make major decisions. The focus on software also excludes other important categories of products, she added.

“One of the things that is missing from my perspective is that it very specifically excludes physical products,” Thielemann told the outlet. “Software, increasingly, is built into all of these cyber-physical systems that underpin everything we do, from Tesla to the electrical grid.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B