Since its introduction six months ago, the Cybersecurity and Infrastructure Security Agency’s (CISA) secure-by-design pledge has catalyzed substantial cybersecurity enhancements across the software industry. The pledge, which encourages companies to prioritize security in their design and development processes, sets goals such as removing default passwords, enforcing multi-factor authentication (MFA), improving logging transparency, and adopting a proactive stance on vulnerability management.

Industry Response and Key Security Initiatives

Several major companies have embraced the pledge and made measurable advancements:

• Amazon Web Services (AWS): AWS now mandates MFA for administrator accounts and has introduced FIDO2 passkeys, offering phishing-resistant authentication.
• Fortinet: The company has rolled out automatic updates for entry-level devices and supports customers transitioning to cloud-based security products.
• Microsoft: Enhancing security across Azure and Intune, Microsoft has increased MFA enforcement, committed to reducing cloud vulnerability patching times by 50%, and expanded customer access to logging data—partially in response to feedback from Capitol Hill.
• Okta: As a leader in identity and access management, Okta has nearly eliminated default passwords and improved logging for security-critical events.
• Sophos: Sophos has fulfilled all seven pledge requirements, enhancing customer options with FIDO2 token support and automatic firmware updates.

Many of these companies commend CISA’s pledge to set a practical yet ambitious framework that supports organizations of all sizes in strengthening their cybersecurity.

Expanding Impact and Future Outlook

While CISA is exploring ways to expand the pledge’s objectives next year, industry leaders agree that the pledge has already helped elevate security standards across the software sector. Experts like Jon Clay from Trend Micro suggest that the pledge’s influence could grow further if it attracts a wider range of developers, including small and medium-sized companies. By embracing secure-by-design principles, these additional participants could contribute to an even more resilient cybersecurity ecosystem.