Commitment to security by design | LPCC

Preview

This is a voluntary commitment focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). Physical products such as IoT devices and consumer products are not covered by the pledge, although companies wishing to demonstrate progress in these areas are encouraged to do so.

By participating in this pledge, software manufacturers agree to make good faith efforts to achieve the goals listed below during the following year. In the event that a software manufacturer is able to make measurable progress toward a goal, it must publicly document how it achieved that progress within one year of signing the pledge. When the software company is unable to make measurable progress, it is encouraged to, within one year of signing the commitment, share with CISA how it worked to achieve the goal and the challenges encountered. And, in the spirit of radical transparency, the manufacturer is encouraged to publicly document its approach so others can learn from it. This commitment is voluntary and not legally binding.

The commitment is structured around seven objectives. Each goal includes the core criteria that manufacturers commit to working toward, in addition to context and examples of approaches to achieving the goal and demonstrating measurable progress. To enable a variety of approaches, software manufacturers participating in the engagement have the discretion to decide how best to meet and demonstrate the core criteria of each objective. Demonstrating measurable progress on the manufacturer’s products can take various forms, such as taking measurements on all of the manufacturer’s products or choosing a set of products to address first and publishing a roadmap for other products.

CISA recognizes and applauds software manufacturers who are already meeting or exceeding these goals. In case a software maker already meets or exceeds a goal, it must publicly describe how it achieves it. In these cases, CISA welcomes additional efforts to go beyond the objectives of the engagement.

This commitment is intended to complement and build upon existing software security best practices, including those developed by CISA, NIST, other federal agencies, as well as international and industry best practices. CISA continues to support the adoption of complementary measures that promote a secure posture by design.