keys ransomware
Image: Unsplash+/Getty

These major software firms took CISA’s secure-by-design pledge. Here’s how they’re implementing it

The Cybersecurity and Infrastructure Security Agency’s (CISA) secure-by-design pledge has hit its six-month mark, and companies that took the pledge say they’ve made significant security improvements since they signed onto the initiative.

The pledge lays out seven goals: expanding multi-factor authentication, eliminating default passwords, eliminating entire categories of vulnerabilities, increasing customers’ installation of security patches, publishing a vulnerability disclosure policy, enriching vulnerability reports with more data and offering customers more information about intrusions.

Signatories contacted by Recorded Future News described achieving these goals in many ways, including requiring MFA for more users, helping customers migrate away from old products that no longer receive automatic updates and expanding the amount of activity logging that customers receive.

CISA agrees that companies have taken the pledge seriously. “We are already seeing significant impacts across the internet ecosystem as a result of this pledge,” Jack Cable, a senior technical adviser at CISA, told Recorded Future News in a newly published Q&A about the project, which he said has “exceeded expectations.”

Here is how five major companies that signed the pledge are taking steps to implement it — and go beyond it.

Amazon Web Services

The tech giant, whose cloud platform powers countless major websites, touted its progress on MFA since signing the pledge.

In July, the company began requiring administrator accounts to use MFA to sign in. At the same time, AWS added support for FIDO2 passkeys, hardware security tokens that are resistant to phishing attacks.

“Since April 2024 alone, nearly 700,000 AWS customers have enrolled in MFA for the first time,” said AWS CISO Chris Betz.

“On the day we signed the pledge,” Betz said, “we were well aligned with its elements and we continue to invest in these and other areas.”

Fortinet

Fortinet, which sells cyber defense products like intrusion detection systems, had already met many of the pledge’s goals before signing it, such as eliminating default passwords; providing Common Weakness Enumeration, or CWE, data in CVE reports; and publishing a vulnerability disclosure policy.

Since signing the pledge, Fortinet has enabled automatic updates on its entry-level devices. CISO Carl Windsor said the change “has measurably increased the uptake of security patches by customers.”

Fortinet has also begun requiring users of its cloud services to log in with MFA.

To improve patching, Fortinet says it’s helping users of its old, end-of-life security products migrate to newer devices that still receive updates. It’s also encouraging them to switch to cloud-based versions of its firewall and intrusion-detection offerings that it can update for them.

Microsoft

Few companies have received as much scrutiny for their cybersecurity failures as the maker of the world’s most popular operating system. As part of its Secure Future Initiative, Microsoft has embraced the pledge and even gone beyond it in some areas.

In late June, for example, Microsoft began publishing CVEs for critical flaws in its cloud services — even though such vulnerabilities don’t require any customer action, because Microsoft handles the fixes itself. The company has published CWE data for non-cloud vulnerabilities, as the pledge requires, since January.

In mid-October, in accordance with the pledge, Microsoft began requiring users of its Azure, Entra and Intune cloud services to sign in with MFA.

Microsoft also pursued the pledge’s goal of eliminating entire classes of vulnerabilities by standardizing identity technologies to eliminate user authentication errors. And while Microsoft’s cloud patches don’t require customer installation, which the pledge focuses on, the company last year promised to reduce the time it needed to fix cloud vulnerabilities by 50 percent.

Regarding the pledge goal of improving customer access to evidence of intrusions, Bret Arsenault, Microsoft’s corporate vice president and chief cybersecurity adviser, said the company has completed the actions that it laid out last October to give customers more log data — once a major point of contention between the tech giant and Capitol Hill.

Okta

Okta, the identity and access-management behemoth, has completed three of the pledge’s seven goals: reducing the use of default passwords, publishing a vulnerability disclosure policy and enriching CVEs with more data.

David Bradbury, Okta’s chief security officer, said the company is “on track” to complete the  other four by the one-year deadline.

“In the process of making this commitment, we identified exceptions and edge cases to some defaults that we intend to close out,” Bradbury said. “For example, Okta has best-in-class rates of MFA adoption among administrative users (91%). However, we have a self-defined target that 100% of Workforce administrators sign in using MFA.”

Okta has also expanded the number of “security-relevant events” that get logged when they occur on its platform, Bradbury said, in addition to adding “rich context” to each of these log entries to help defenders better understand them.

Sophos

Sophos, which sells cloud and on-premises security hardware and software, has achieved the “core requirements” of all seven pledge goals, according to CISO Ross McKerchar. It had already mandated MFA for all users prior to the pledge.

Sophos plans to let customers log into its web portal with FIDO2 tokens soon, and within a year, the company will add support for locally stored digital passkeys, which are considered the successor to passwords.

By next July, Sophos expects to add more logging features to help customers understand and respond to intrusions, McKerchar said. And by next September, it will let customers schedule automatic firmware updates for its firewall product.

A balanced approach

As CISA considers how to update or expand the pledge in its second year, signatories said that they appreciated its flexible format.

The goals are “both realistic for small IT firms to tackle while also offering even the largest IT providers room for improvement,” Fortinet’s Windsor said.

Marjorie Dickman, chief government affairs and public policy officer at BlackBerry, praised CISA’s “realistic and balanced approach” to the goals, which make them accessible to “organizations of all maturity levels.”

“CISA has struck a good balance and has found ways to raise the bar for everybody,” Okta’s Bradbury said. “We expect this program to be successful because the pledge goals are reachable, clearly articulated, and universally applicable.”

Bradbury said Okta “would not be opposed to CISA expanding its list of goals” in the coming year.

Even companies that took issue with certain aspects of the pledge said it would move the software industry in the right direction.

“While we may not agree on every detail in the document,” said Google spokesperson Kimberly Samra, “we think this is a great step forward for the ecosystem.”

But while many of the world’s biggest software companies have already signed the pledge, countless small and medium-sized developers have yet to jump onboard — a fact that could limit the pledge’s impact on the vast web of software that often flies under the radar until its failure causes a major incident.

“CISA has a good opportunity to build this out and expand who supports it,” said Jon Clay, vice president of threat intelligence at cyber firm Trend Micro, “as the existing pledges are a very small fraction of developers in the world.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Eric Geller

Eric Geller

is a freelance cybersecurity journalist covering all things digital security. He previously reported on cybersecurity for The Daily Dot, Politico, and The Messenger.