On April 10, 2024, at the RSA Conference, CISA Director Jen Easterly launched the Secure by Design Pledge, a voluntary commitment from software manufacturers to take measurable steps toward improving the security of their products. Over 100 technology companies signed the initial pledge, including major vendors like AWS, Cisco, Google, IBM, Microsoft, and Palo Alto Networks.
The pledge was the most concrete action to emerge from CISA's broader Secure by Design initiative, which had been articulated in white papers and guidance documents throughout 2023. By distilling the initiative into seven specific, measurable commitments with a one-year timeline, CISA attempted to move the conversation from principles to action.
The Seven Commitments
The pledge asked signatories to commit to measurable progress on seven goals within one year of signing:
1. Multi-factor authentication. Increase the use of MFA across the manufacturer's products, with a goal of reducing reliance on passwords as the sole authentication factor. This included making MFA available by default, not just as an optional configuration.
2. Default passwords. Reduce the prevalence of default passwords in products. Manufacturers committed to eliminating default passwords or implementing mechanisms that require users to set unique credentials during initial setup.
3. Reducing entire classes of vulnerabilities. Take steps to reduce or eliminate entire categories of vulnerabilities (such as SQL injection or cross-site scripting) through the use of memory-safe languages, parameterized queries, and other structural approaches.
4. Security patches. Increase the rate at which customers apply security patches by making patches easier to deploy, providing clearer guidance, and reducing the operational disruption of patching.
5. Vulnerability disclosure policy. Publish a vulnerability disclosure policy that allows security researchers to report vulnerabilities without legal risk and commits the manufacturer to timely remediation.
6. CVE reporting. Improve the transparency and timeliness of CVE reporting, including providing accurate CWE (Common Weakness Enumeration) classifications and ensuring that CVEs are filed for all significant vulnerabilities.
7. Intrusion evidence. Improve the ability of customers to detect intrusions by providing adequate logging and monitoring capabilities without requiring additional paid licenses or premium tier subscriptions.
Why This Matters
The Secure by Design pledge is significant for several reasons, even though it is voluntary.
First, it shifts the security burden toward manufacturers. The dominant paradigm in software security for the past two decades has been that customers are responsible for securing the products they buy. You buy a firewall, and if it ships with default credentials, that is your problem. You deploy an application, and if it has SQL injection vulnerabilities, you need to find and fix them.
CISA's pledge explicitly rejects this model. The premise is that software manufacturers have more ability to improve security than their customers do, and they should bear more of the responsibility. This is a philosophical shift with practical implications.
Second, the specificity of the commitments makes accountability possible. Previous Secure by Design guidance was aspirational. The pledge creates concrete benchmarks. Did a signatory reduce default passwords in their products? Did they make MFA available by default? Did they publish a vulnerability disclosure policy? These are binary questions with verifiable answers.
Third, the one-year timeline creates urgency. Signatories are expected to demonstrate progress within twelve months, not at some undefined future date. CISA has indicated they will track and publicize progress, creating social and market pressure for compliance.
The Skeptic's View
There are legitimate reasons to be skeptical. The pledge is voluntary. There are no penalties for failing to meet the commitments. Companies that sign but do not follow through face reputational risk, but the tech industry has shown a remarkable tolerance for broken security promises.
Additionally, some of the commitments are vaguely worded enough to allow generous interpretation. "Increase the use of MFA" could mean anything from making MFA universally available and enabled by default to adding an MFA option that 2% more customers use.
The absence of several notable companies from the initial signatory list was also telling. While CISA did not call out non-signatories by name, the gaps were visible to anyone who compared the signatory list against major software vendors.
The Logging Commitment Is Underrated
Of the seven commitments, the logging provision (commitment seven) may be the most impactful. In incident after incident, security teams discover that critical logs were either not generated or were locked behind premium licensing tiers.
Microsoft, notably, faced intense criticism in 2023 after the Storm-0558 breach of government email accounts because the audit logs that would have detected the intrusion were only available to customers paying for E5 or G5 licensing. Under public pressure, Microsoft announced in July 2023 that they would make these logs available to all customers.
The Secure by Design pledge formalizes this expectation across the industry. If manufacturers commit to providing adequate intrusion evidence without premium licensing, security teams will have better visibility into their environments, and the entire incident detection and response ecosystem improves.
What Signatories Should Actually Do
For companies that signed the pledge and want to take it seriously, the path forward involves concrete engineering and business decisions:
Move authentication defaults from "password only" to "MFA required" for administrative access and "MFA encouraged" for all users. Ship products with no default credentials and require credential setup during initial configuration.
Invest in eliminating vulnerability classes through language and framework choices. Adopt memory-safe languages for new development. Use ORM frameworks that prevent SQL injection. Implement Content Security Policy headers that mitigate XSS.
Make patching frictionless. Automate patch delivery. Reduce the operational impact of updates. Provide clear, actionable patch notes that help customers understand what is being fixed and why it matters.
Publish a vulnerability disclosure policy that follows ISO 29147 guidelines. Participate in CVE Numbering Authority (CNA) programs to ensure timely and accurate CVE publication.
Provide security-relevant logging at no additional cost. Include audit logs, authentication logs, and access logs in the base product, not as a premium add-on.
How Safeguard.sh Helps
Safeguard.sh aligns directly with the Secure by Design philosophy. Our platform helps organizations verify that the software they deploy meets security standards, whether those standards come from the CISA pledge, internal policies, or regulatory requirements. Policy gates can enforce requirements like current patch levels, known vulnerability thresholds, and SBOM completeness, providing the accountability layer that makes voluntary commitments operational. For organizations evaluating software vendors, Safeguard.sh provides the visibility to assess whether a vendor is actually delivering on their security commitments or just signing pledges.