CISA Launches Secure by Design Pledge — April 30, 2024

Executive briefing: On 30 April 2024 the Cybersecurity and Infrastructure Security Agency (CISA) unveiled the Secure by Design Pledge, asking leading software and technology companies to commit to specific engineering improvements that measurably reduce exploitability. Initial signatories pledged to expand memory-safe programming languages, enable multi-factor authentication (MFA) by default, shorten vulnerability remediation timelines, and publish secure configuration baselines.

Pledge focus areas

• Memory safety. Increase adoption of memory-safe languages in new codebases and critical product updates.
• MFA by default. Deliver phishing-resistant authentication enabled by default for privileged and customer-facing accounts.
• Vulnerability management. Track patch timelines, coordinated disclosure performance, and security telemetry coverage.

Control alignment guidance

• Secure development lifecycle. Embed threat modeling, secure coding standards, and automated testing aligned with CISA’s pledge metrics.
• Identity governance. Extend MFA coverage metrics to include customer and partner access channels, reducing reliance on passwords.
• Supplier management. Require vendors to disclose Secure by Design commitments and progress, especially for critical SaaS and infrastructure providers.

Operational recommendations

• Benchmark internal engineering practices against the pledge goals and publish executive dashboards to track progress.
• Incorporate memory-safe language adoption and vulnerability remediation speed into engineering OKRs and incentive plans.
• Engage product marketing and customer success teams to communicate default security enhancements and support adoption.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 91/100 · May 10, 2024

CISA, FBI, and HHS Warn of Black Basta Ransomware Surge — May 10, 2024

U.S. cyber agencies detailed Black Basta’s tactics and urged critical infrastructure operators to harden remote access and backups.

Cybersecurity · Credibility 88/100 · April 17, 2024

Global Partners Issue Secure AI Implementation Guidance — April 17, 2024

UK NCSC, CISA, and 18 allied agencies published implementation guidance to operationalize secure-by-design controls for AI systems.

Cybersecurity · Credibility 93/100 · May 16, 2024

CISA Issues Binding Operational Directive 24-02 — May 16, 2024

Federal civilian agencies must disable insecure network management protocols and harden remote administration interfaces under CISA’s latest binding directive.

Cybersecurity · Credibility 89/100 · November 14, 2023

CISA and Global Partners Press for Memory-Safe Roadmaps — November 14, 2023

Nineteen international agencies urged technology manufacturers to publish transition plans away from memory-unsafe languages and legacy code.

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.