CISA Pledge Adds Vendor Review Signal

CISA’s Secure By Design Pledge has become a current vendor security review signal after the agency listed 367 organizations as signers, giving software buyers a public checkpoint for supplier due diligence. The pledge remains voluntary, but CISA’s progress-report process and 7 product-security goals now give procurement, security and risk teams a sharper way to question vendors about secure defaults, MFA, vulnerability handling, patching and customer-facing evidence.

Why Does CISA’s 367-Signer Secure By Design Pledge Matter For Software Buyers?

CISA’s 367-signer Secure By Design Pledge matters because buyers can now use the public signer list as a starting point for vendor security review. The list does not prove that a product is secure, but it gives customers a clear basis to request progress reports, evidence and product-specific answers.

CISA describes the pledge as a voluntary commitment for enterprise software products and services, including on-premises software, cloud services and SaaS. The agency says the pledge is structured around 7 goals and asks manufacturers to make a good-faith effort toward measurable progress.

The buyer angle is immediate. A signer can be asked to show what changed after it joined the pledge. A non-signer can be asked whether its roadmap covers the same goals, why it has not signed and what evidence it offers instead.

When Did CISA’s Secure By Design Pledge Grow From Guidance To 367 Signers?

CISA’s Secure By Design effort moved from guidance to a large public pledge list between 2023 and 2026. The earliest major step was the April 13, 2023 publication of “Shifting The Balance Of Cybersecurity Risk,” a joint product from CISA, NSA, FBI and international partners.

The White House released the National Cybersecurity Strategy on March 2, 2023, calling for a shift of cybersecurity responsibility from end users to organizations best positioned to reduce systemic risk. CISA and partners then updated Secure By Design guidance in October 2023 with more detail on transparency, leadership and accountability.

CISA announced the pledge on May 8, 2024, with 68 software manufacturers. Axios, Wired and The Wall Street Journal reported that major technology companies joined or were expected to join the effort at RSA Conference. CISA’s current signer page now lists 367 companies, showing the program has moved from a launch cohort to a broad vendor-assurance reference point.

What Are CISA’s 7 Secure By Design Pledge Goals?

CISA’s Secure By Design Pledge has 7 goals: expand MFA, reduce default passwords, reduce whole classes of vulnerabilities, improve security patch adoption, publish vulnerability disclosure policies, improve CVE quality and provide customers with evidence of intrusions. These goals focus on outcomes buyers can observe or verify.

The goals connect directly to common vendor-risk questions. Buyers can ask whether MFA is free and enabled for privileged users, whether default passwords are eliminated, whether memory safety, SQL injection, cross-site scripting or OS command injection reduction programs exist and whether patch adoption rates are measured.

CISA’s Secure By Design Alerts add context. CISA and FBI have called on software manufacturers to eliminate SQL injection, directory traversal, cross-site scripting and OS command injection vulnerabilities, arguing that these classes are preventable and should be addressed at the manufacturer level.

Which Software Vendors And Buyers Are Affected By The CISA Secure By Design Pledge?

The pledge affects enterprise software manufacturers, cloud service providers, SaaS vendors, cybersecurity companies and buyers that rely on third-party software. The program is voluntary, but it creates practical pressure because customers can compare signers, progress reports and product-security claims during procurement.

Affected buyers include federal agencies, state and local governments, healthcare organizations, financial institutions, critical infrastructure operators and large enterprises. These organizations often need evidence that suppliers reduce customer burden rather than shifting every security task to administrators.

The scope is broader than the signer list. CISA’s Secure By Demand guidance, released on August 6, 2024, tells software customers to ask acquisition questions that test whether suppliers consider security from the earliest stages of development. That means even non-signers can face pledge-style review questions.

What Legal Or Enforcement Weight Does CISA’s Secure By Design Pledge Carry?

CISA’s Secure By Design Pledge does not create a direct fine, penalty or enforcement regime because it is voluntary. The legal and business weight comes from public commitments, procurement records, federal software security requirements, customer contracts and the risk of inaccurate security claims.

The pledge sits beside stronger federal software-security mechanisms. NIST SP 800-218 gives a Secure Software Development Framework for suppliers and buyers, while federal software attestation rules require certain software producers to attest to secure development practices for government use.

CISA says its progress-report page does not mean the agency endorses any commercial entity, product or service. That disclaimer matters for buyers. A signer badge should start a review, not end one.

What Vendor Review Questions Should Buyers Ask Secure By Design Pledge Signers?

Buyers should use the Secure By Design signer list as a questionnaire trigger rather than a pass-fail badge. The main task is to request evidence that the vendor has made measurable progress against the 7 pledge goals and can explain how that progress applies to the specific product under review.

1. Ask when the vendor signed the pledge and which products, services and business units the pledge covers.

2. Ask for the latest public progress report or equivalent evidence against each of the 7 goals.

3. Ask whether MFA, logging, SSO and security controls are included without extra fees for covered enterprise products.

4. Ask how the vendor eliminated or reduced default passwords in production deployments.

5. Ask which vulnerability classes the vendor targeted and what metrics show reduction.

6. Ask how the vendor measures patch adoption and reduces customer friction during updates.

7. Ask whether the vendor publishes a vulnerability disclosure policy, complete CVE fields and customer-facing investigation logs.

How Are Software Companies Reporting Progress On CISA’s Secure By Design Pledge?

Software companies are reporting progress through public statements, CISA-linked progress reports and company security updates. CISA’s progress-report page says pledge signers committed to a good-faith effort toward the 7 goals and lets buyers click company entries to review progress to date.

Public reports vary in depth. Microsoft’s April 2025 Secure Future Initiative progress report said the company had dedicated the equivalent of 34,000 engineers working full-time for 11 months to high-priority security work. Sophos said in July 2025 that it had made progress against the 7 pillars but had not fully realized every goal.

The Record reported at the 6-month mark that companies including AWS, Fortinet, Microsoft, Okta and Sophos described progress after joining the pledge. That reporting supports the buyer view that progress evidence, not the signature alone, is the important review material.

What Government Actions Support CISA’s Secure By Design Vendor Review Push?

CISA’s Secure By Design Pledge is part of a wider federal push to shift software security responsibility toward manufacturers. The National Cybersecurity Strategy, CISA’s joint Secure By Design guidance, NIST SSDF, software attestation rules and Secure By Demand guidance all support the same procurement direction.

NIST SP 800-218, published in 2022, gives a common vocabulary for secure software development and says buyers can use it in acquisition and supplier communications. CISA’s attestation form and related federal requirements add another procurement layer for software used by federal agencies.

CISA’s Secure By Demand guide is the buyer-side bridge. The guide says acquisition teams often understand general cybersecurity needs but may not assess whether suppliers have security practices and policies from the earliest stages of the product lifecycle.

What Costs And Business Consequences Follow The Secure By Design Pledge?

The Secure By Design Pledge creates business consequences because buyers can compare vendors on public commitments, progress evidence and product-security defaults. Signers may face pressure to fund engineering work, improve logging, publish better CVEs, reduce default credentials and measure patch adoption across product lines.

The cost is not only technical. Vendors need legal, product, engineering, support, vulnerability disclosure and customer-success teams to agree on public claims and measurement methods. Weak progress reports can create reputational risk when buyers ask for proof.

For buyers, the consequence is better review structure. A vendor’s pledge status can be added to security questionnaires, contract reviews, renewal reviews and third-party risk scoring. The signer list gives customers a public anchor for questions that used to depend on private trust-center language.

What Remains Unclear About CISA’s Secure By Design Pledge Signers?

The main unresolved issue is evidence consistency. CISA lists 367 signers, but the pledge does not impose one audit format, one scoring model or one required maturity level. Two signers may use different baselines, metrics and product scopes when they describe progress.

A second open issue is how buyers will treat non-signers. Some mature vendors may have strong secure development programs without signing the pledge. Buyers should compare evidence, not treat signer status as the only indicator of software security.

A third question is future legal weight. The pledge is voluntary today, but public commitments can influence customer expectations, contract negotiations and post-incident scrutiny. A vendor that signs and later fails to show progress may face tougher questions than one that made no public pledge.

How Bright Defense Helps Buyers Review CISA Secure By Design Pledge Vendors

Bright Defense helps organizations use CISA’s Secure By Design Pledge as a practical vendor security review angle through Penetration Testing, Continuous Compliance and Security Assessments. The work focuses on whether vendor claims match real product exposure, access paths, cloud controls, logging, patching, vulnerability handling and incident evidence.

For software buyers, Bright Defense can review supplier security questionnaires, test exposed applications, validate customer-facing controls, assess logging, examine secure configuration gaps and document product-risk findings. That evidence helps procurement, legal and security teams separate a signer badge from actual product assurance.

Sources Cited

CISA — Secure By Design Pledge Signers (2026) https://www.cisa.gov/securebydesign/pledge/secure-design-pledge-signers

CISA — Secure By Design Pledge (2026) https://www.cisa.gov/securebydesign/pledge

CISA — Secure By Design Progress Reports (2026) https://www.cisa.gov/securebydesign/pledge/progress-reports

CISA — CISA Announces Secure Design Commitments From Leading Technology Providers (May 8, 2024) https://www.cisa.gov/news-events/news/cisa-announces-secure-design-commitments-leading-technology-providers

CISA — Shifting The Balance Of Cybersecurity Risk: Principles And Approaches For Security By Design And Default (April 13, 2023) https://www.cisa.gov/sites/default/files/2023-04/principles_approaches_for_security-by-design-default_508_0.pdf

CISA — Shifting The Balance Of Cybersecurity Risk: Principles And Approaches For Secure By Design Software (October 2023) https://www.cisa.gov/sites/default/files/2023-10/Shifting-the-Balance-of-Cybersecurity-Risk-Principles-and-Approaches-for-Secure-by-Design-Software.pdf

CISA — CISA Releases Secure By Demand Guidance (August 6, 2024) https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3ad310c

NIST — SP 800-218, Secure Software Development Framework Version 1.1 (February 2022) https://csrc.nist.gov/pubs/sp/800/218/final

White House — National Cybersecurity Strategy (March 2, 2023) https://bidenwhitehouse.archives.gov/oncd/national-cybersecurity-strategy/

AP — White House Cybersecurity Strategy Stresses Software Safety (March 2, 2023) https://apnews.com/article/216e18a6cb01a0f2e7b63a6031b876f1

Axios — CISA Lays Out How To Practice Secure By Design (October 18, 2023) https://www.axios.com/2023/10/18/cisa-cyber-security-secure-by-design-principles

Wired — The U.S. Government Is Asking Big Tech To Promise Better Cybersecurity (May 1, 2024) https://www.wired.com/story/cisa-cybersecurity-pledge/

The Wall Street Journal — Tech Giants Agree To Build Security Into Software Products (May 2024) https://www.wsj.com/articles/tech-giants-agree-to-build-security-into-software-products-c1cb3213

The Record — With Nation-State Threats In Mind, Nearly 70 Software Firms Agree To Secure By Design Pledge (May 8, 2024) https://therecord.media/secure-by-design-companies-cisa-rsa

SANS NewsBites — Companies Report Progress In Implementing CISA Secure By Design Pledge (2024) https://www.sans.org/newsletters/newsbites/xxvi-87

Microsoft — Securing Our Future: April 2025 Progress Report On Microsoft’s Secure Future Initiative (April 21, 2025) https://www.microsoft.com/en-us/security/blog/2025/04/21/securing-our-future-april-2025-progress-report-on-microsofts-secure-future-initiative/

Sophos — Sophos’ Secure By Design 2025 Progress (July 28, 2025) https://www.sophos.com/en-us/blog/sophos-secure-by-design-2025-progress

CISA — Secure By Design Alert: Eliminating OS Command Injection Vulnerabilities (July 2024) https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-os-command-injection-vulnerabilities