← Back to all briefings

Infrastructure · Credibility 94/100 · · 2 min read

Infrastructure Resilience Briefing — April 30, 2024

CISA launched the Secure by Design pledge with leading software vendors committing to memory-safe roadmaps, vulnerability disclosure, and MFA defaults across product lines.

Executive briefing: The Cybersecurity and Infrastructure Security Agency (CISA) unveiled a voluntary Secure by Design pledge on April 30, 2024 with 68 major technology vendors, including Amazon, Google, Microsoft, and IBM. Signatories commit to seven measurable goals covering memory-safe code, MFA-by-default, zero-trust architecture, vulnerability reporting timelines, and secure development training. CISA will track progress through annual self-assessments and public updates.

Key commitments

  • Memory safety. Vendors will publish language migration roadmaps and targets to reduce memory-unsafe code in critical products.
  • MFA enablement. Signatories agree to ship MFA or passwordless authentication enabled by default for privileged and administrator accounts.
  • Incident transparency. Companies will implement rapid vulnerability intake and disclosure processes, delivering fixes to supported products within specified timeframes.

Operational priorities

  • Vendor engagement. Assess supplier participation in the pledge and incorporate roadmap expectations into third-party risk management reviews.
  • Secure development alignment. Map internal SDLC controls to CISA's pledge metrics—secure-by-default configurations, fuzzing coverage, and memory-safe coding plans.
  • MFA verification. Validate that vendors enable phishing-resistant MFA or passkeys by default and document compensating controls when exceptions remain.

Program assurance

  • Metrics reporting. Request annual progress reports from key suppliers and track alignment with enterprise resilience scorecards.
  • Contractual hooks. Update procurement language to reference Secure by Design goals, ensuring commitments survive product or service renewals.
  • Internal benchmarking. Use pledge benchmarks to evaluate internal product teams and prioritize investments in memory-safe refactoring and automated testing.

Sources

Zeph Tech is leveraging the Secure by Design pledge to pressure vendors on memory safety roadmaps, MFA defaults, and vulnerability remediation transparency.

  • Secure by Design
  • Memory-safe programming
  • Multi-factor authentication
  • Software supply chain
Back to curated briefings