Signed by 68 software companies, CISA’s Secure by Design pledge commits to making their products more secure based on seven goals.

The US Cybersecurity and Infrastructure Security Agency (CISA) announced in a statement that 68 software companies have signed up for the Secure by Design promise. The companies promise to develop products with integrated security. Companies signed up include AWS, Google, Microsoft, Github and dozens of other companies. The commitment includes seven goals that must be announced one year after signing.

Seven goals

CISA has identified seven goals that companies must achieve. The objectives listed below must be reported within one year of signing.

• Multi-factor authentication (MFA): Companies must report what measures they have taken to measurably increase the use of MFA in their products.
• Default passwords: The number of standard passwords for all products should be measurably reduced.
• Reduce vulnerability: A clearly measurable reduction in the prevalence of one or more hazard classes in the products must be achieved.
• Security patches: The installation of security patches by customers must be measurably increased.
• Vulnerability Disclosure Policy: Software companies must publish a Vulnerability Disclosure Policy (VDP).
• CVEs: Transparency in vulnerability reporting should be demonstrated by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in each Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products.
• Evidence of break-ins: Increase customers’ ability to collect evidence of cybersecurity breaches affecting the manufacturer’s products.

You can find the list of participating software companies and more information about the goals and promises on the CISA website.