The Cybersecurity and Infrastructure Security Agency (CISA) announced that 68 leading software manufacturers voluntarily committed to CISA’s Secure by Design pledge. By joining this initiative, these software manufacturers pledge to deliver measurable progress towards seven specific goals, all with the intention of securing critical infrastructure.
The seven goals in this commitment (which are to be carried out within one year) are as follows:
- Exhibit actions taken to increase the application of multi-factor authentication throughout the manufacturer’s products.
- Reduce default passwords throughout the manufacturer’s products.
- Demonstrate a measurable reduction in one or more vulnerability classes throughout the manufacturer’s products.
- Increase the security patches installed by customers.
- Release a vulnerability disclosure policy (VDP) that allows for public testing, commits to not take legal action against those who follow the VDP in good faith, presents a clear process for reporting vulnerabilities, and allows for public discussion of vulnerabilities.
- Demonstrate transparency in reporting vulnerabilities by ensuring every Common Vulnerabilities and Exposures (CVE) record includes accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields. Furthermore, issue CVE reports in a timely manner.
- Increase the customer’s ability to collect evidence of cybersecurity intrusions that impact the manufacturer’s products.