Overview This is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). Physical products such as IoT devices and consumer products are not scoped in the pledge, though companies who wish to demonstrate progress in those areas are welcome to do so. By participating in the pledge, software manufacturers are pledging to make a good-faith effort to work towards the goals listed below over the following year. In the case where a software manufacturer is able to make measurable progress towards a goal, the manufacturer should publicly document how they have achieved such progress within one year of signing the pledge.

Where the software manufacturer is not able to make measurable progress, the manufacturer is encouraged to, within one year of signing the pledge, share with CISA how the manufacturer has worked towards the goal and any challenges faced.

And, in the spirit of radical transparency, the manufacturer is encouraged to publicly document their approach so that others can learn. This pledge is voluntary and not legally binding. The pledge is structured with seven goals. Each goal has the core criteria which manufacturers are pledging to work towards, in addition to context and example approaches to achieve the goal and demonstrate measurable progress. To enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal.

Demonstrating measurable progress across the manufacturer’s products can take a variety of forms — such as by taking action on all the manufacturer’s products, or by choosing a set of products to first address and publishing a roadmap for other products. CISA acknowledges and applauds software manufacturers who already meet or exceed these goals. In such a case where a software manufacturer already meets or exceeds a goal, the manufacturer should publicly describe how they are doing so. In these cases, CISA welcomes additional efforts to go above and beyond the goals in the pledge.

This pledge seeks to complement and build on existing software security best practices, including those developed by CISA, NIST, other federal agencies, and international and industry best practices. CISA continues to support adoption of complementary measures that advance a secure by design posture.