The pledge provides guidelines for companies to achieve certain goals, while giving them flexibility in how to do so. It stresses the importance of public displays of progress and sharing techniques for others to learn from.
CISA collaborated with tech companies to develop the pledge, ensuring it was realistic for businesses of all sizes, not just large corporations. Initially, there were challenges in getting companies to sign, but after refining the pledge based on feedback from the Information Technology Sector Coordinating Council, more companies are now signing on.
Legal concerns are a major consideration for companies considering signing the pledge, as public statements could be used against them in the event of a security incident. Despite this, some global companies facing strict European security requirements may sign to receive recognition for measures they already have in place.
The Secure by Design campaign by CISA is a key part of the Biden administration’s cybersecurity strategy, aiming to shift responsibility from users to vendors. This initiative comes after various supply-chain attacks on major software companies and a rise in software vulnerabilities powering ransomware attacks. The administration emphasizes the need for increased corporate accountability in light of these incidents.