Cybersecurity Briefing — March 7, 2024

Executive briefing: On March 7, 2024 the Cybersecurity and Infrastructure Security Agency introduced a Secure by Design pledge signed by 17 global software and cloud providers, committing to ship memory-safe roadmaps, default multifactor authentication, and actionable logging telemetry.

Key policy signals

• Engineering milestones. Signatories (including AWS, Cisco, Google, IBM, Microsoft, Palo Alto Networks, and Salesforce) agreed to publish language timelines for migrating critical products to memory-safe code by Q4 2025.
• Default protections. The pledge requires vendors to ship MFA enabled by default for privileged accounts and expose standardized audit logs without premium licensing.
• Transparency reporting. Participants must deliver annual progress reports to CISA, which will publish aggregated metrics starting in 2025.

Control alignment

• NIST CSF 2.0 ID.IM. Update product-risk registers to track suppliers’ pledge milestones and adjust adoption strategies where memory safety or MFA commitments lag.
• ISO/IEC 27034. Embed Secure by Design pledge criteria into software acquisition checklists and secure development lifecycle controls.

Detection and response priorities

• Integrate the upcoming telemetry reporting into SIEM content so security teams can quickly consume default audit logs from pledge participants.
• Cross-reference vulnerability management backlogs with vendors’ memory-safety timelines to prioritise upgrades when secure builds become available.

Enablement moves

• Brief product and procurement teams on CISA’s reporting cadence to ensure partner scorecards reflect pledge compliance.
• Encourage ecosystem partners to join the pledge or demonstrate equivalent controls, reducing variance across toolchains.

Sources

• CISA — Secure by Design pledge launch
• CISA Secure by Design pledge commitments

Zeph Tech tracks vendor pledge execution so security leaders can align procurement policies with federal secure-by-design expectations.