← Back to all briefings

Cybersecurity · Credibility 99/100 · · 4 min read

Cyber Resilience Briefing — April 30, 2024

CISA’s Secure by Design pledge progress report highlights vendor commitments to memory safety, vulnerability disclosure, and MFA defaults—signals customers can embed in procurement.

Executive briefing: At RSA Conference 2024, CISA published its first Secure by Design pledge progress report, summarizing how 68 vendors are implementing memory safety roadmaps, SBOM delivery, and secure default settings. Zeph Tech advises organizations to align contract language and vendor scorecards with these published goals.

Key industry signals

  • Memory safety milestones. Vendors outlined timelines for migrating critical components to memory-safe languages; some committed to 50%+ coverage by 2025.
  • Default security. Multi-factor authentication and logging are being enabled by default across pledged products, reducing deployment friction.
  • Transparency. CISA will publish quarterly updates, naming vendors that miss milestones—raising accountability pressure.

Control alignment

  • NIST SP 800-218 SSDF PO.4. Incorporate secure-by-design criteria into supplier requirements and intake checklists.
  • FedRAMP / StateRAMP. Reference the pledge in authorization packages to demand evidence of memory safety and SBOM delivery.

Detection and response priorities

  • Monitor vendor advisories for memory safety refactors that could affect performance or compatibility.
  • Ensure vulnerability disclosure timelines align with the 90-day reporting commitments outlined in the pledge.

Enablement moves

  • Update procurement scorecards to award points for vendors participating in the Secure by Design pledge.
  • Communicate the pledge milestones to executive stakeholders so they understand how purchasing decisions influence software quality.

Zeph Tech analysis

  • CISA is tracking concrete milestones. The pledge obligates signatories to ship memory-safe rewrites, secure-by-default configurations, and vulnerability disclosure automation by December 2025, with quarterly reporting beginning July 2024.
  • Signatory list spans critical suppliers. Initial participants include AWS, Cloudflare, Google, Microsoft, Okta, and Rapid7, giving enterprises leverage to demand aligned roadmaps from their broader vendor portfolios.
  • Metrics will surface laggards. CISA’s roadmap calls for measuring default MFA coverage, incident response telemetry, and exploitability windows, so customers can codify those metrics into supplier contracts.

Zeph Tech maintains vendor assessment templates that map Secure by Design commitments to measurable onboarding and renewal criteria.

  • CISA Secure by Design
  • Memory safety
  • NIST SSDF
  • Vendor management
Back to curated briefings