Is CISAs Secure by Design Pledge Toothless?

CISAs agreement is voluntary and, frankly, basic. Signatories say thats a good thing.

At 2024s RSA Conference this week,
brand names
like Microsoft, Amazon Web Service (AWS), International Business Machines (IBM), Fortinet, and more
agreed to take steps
toward meeting a set of seven objectives defined by the USs premier cyber authority.
The agreement
is voluntary, not legally binding, anodyne, and can be flexibly applied to all or just one of a companys products or services. Still, signees say, it may help move the needle to incentivize good security practices and investments across industries.
I think that this represents the zeitgeist, says Grant Geyer, CPO of Claroty, one of the signatories. Its a recognition that as more of us agree that were going to operate at a certain standard, that makes it more comfortable and open for others to do the same.
CISAs Secure by Design pledge consists of areas of improvement split into seven primary categories: multi-factor authentication (MFA), default passwords, reducing entire classes of vulnerability, security patches, vulnerability disclosure policy, CVEs, and evidence of intrusions.
The pledge contains nothing revolutionary and has no teeth whatsoever. But for those involved, thats all beside the point.
While they may not have direct authority, I think that there is indirect authority by starting to define what the expectation is, says Chris Henderson, senior director of threat operations at Huntress, another signee.
For example, he says, In the private space there are companies effectively war profiteering off of the security tooling within their products. You see a lot of companies adding security features behind paywalls because its viewed as an easy way to increase revenue. In reality, a lot of these features dont actually cost any extra money to deliver, Henderson adds.
He thinks the pledge could be a new approach toward pushing public-private partnerships without new regulations.
I think the Secure By Design pledge is a really interesting approach through private and government partnership to try to drive not regulation, but change what the expectation is for reasonable. Henderson says. If youre a product that offers multi-factor authentication (MFA) or single sign-on (SSO), but its behind a paywall, and one of your clients gets breached because they werent paying for that, well, now are you negligent?
Like Henderson, Jonathan Trull, CISO of Qualys (also a signatory), envisions the pledges effects as primarily economic in nature. In the commercial sector youve got two (incentive) mechanisms. Youve got compliance, where its binding and SEC-enforceable for publicly traded companies, Trull explains. And then youve got the more powerful (one), which is: Where will the dollars flow?
His hope is that these basic security principles start to influence tech buyers, Trull adds.
Im hoping buyers stop and say: Hey, why didnt you sign up for this? Even if its voluntary, he says.
Regardless of how companies address it, for Clarotys Geyer, the pledge alone is important in how it reframes the conversation around some fundamental security issues.
For example, theres vulnerability management. Organizations know to
patch individual bugs when they pop up
but, as CISA notes in its report, The vast majority of exploited vulnerabilities today are due to classes of vulnerabilities that can often be prevented at scale.
In a
recent analysis
of more than 20 million assets, Clarotys Team82 found that 22% and 23% of all industrial OT and connected medical devices (IoMT), respectively, possessed vulnerabilities with critically-ranked CVSS scores of 9.0 or higher. However, only 1.3% and 1.9% of industrial OT and IoMT devices were found to contain at least one known exploitable vulnerability and communicated directly with the Web instead of through a secure access solution.
So if you take the traditional approach, you have to patch 23% of your assets, Geyer says. Not only is that an enormous number, but what we found is that when you broaden out what a risk is —from just a vulnerability to things like default passwords, clear text, communications, the things that are covered in this pledge — you would only need to focus on 1.3% of your assets.
If you did take the approach of catching all 23%, it turns out that you would miss 43% of the highest risks, like default credentials, Geyer adds. So its super important that CISA is taking a more expansive view of risk, rather than only focusing on vulnerabilities. That has been the traditional wisdom, and traditional wisdom is misguided, both in terms of effort and impact.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps