summary
This is a voluntary pledge that focuses on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). The pledge does not include physical products such as IoT devices and consumer products, although companies that want to demonstrate progress in these areas are welcome to do so.
By participating in this pledge, software manufacturers pledge to make a good faith effort to work toward the goals listed below during the following year. In the event that a software manufacturer is able to make tangible progress toward the goal, the manufacturer must publicly document how it achieved that progress within one year of signing the pledge. When a software manufacturer is not able to make tangible progress, the manufacturer is encouraged, within one year of signing the pledge, to share with CISA how the manufacturer is working to achieve the goal and any challenges it faces. In the spirit of radical transparency, the manufacturer is encouraged to publicly document its approach so others can learn. This pledge is voluntary and not legally binding.
The pledge is organized with seven goals. Each goal contains the key benchmarks that manufacturers pledge to work toward, as well as context and examples for achieving the goal and demonstrating measurable progress. To enable a variety of approaches, software manufacturers participating in the Pledge have discretion to determine how they can best meet and demonstrate the core criteria for each goal. Showing measurable progress across a manufacturer’s products can take a variety of forms – such as taking action on all of a manufacturer’s products, or by selecting a group of products to address first and publishing a roadmap for other products.
CISA recognizes and applauds software manufacturers who have already met or exceeded these goals. In such a case, where a software manufacturer actually meets or exceeds a target, the manufacturer must publicly describe how it does so. In these cases, CISA welcomes additional efforts to exceed the goals in the pledge.
This pledge seeks to complement and build upon existing software security best practices, including those developed by CISA, NIST, other federal agencies, and international and industry best practices. CISA continues to support the adoption of complementary measures that enhance Secure by Design.