ALVOR
Platform
PricingCompare
Advisory
AboutBlog
Get Demo
ALVOR
Platform
PricingCompare
Advisory
AboutBlog
Get Demo
← All Posts
July 16, 2026·9 min read

CISA Secure by Design, Operationalized: From Seven Pledge Goals to a Working Process

The CISA Secure by Design pledge is easy to sign and hard to mean. Here is what each of the seven goals asks of an engineering organization, which practice owns it, and how buyers can tell a commitment from a logo.

Salman Khan·Secure by DesignSecurity ArchitectureEngineering

The CISA Secure by Design pledge has quietly become a checkbox on enterprise security questionnaires. Buyers scan vendor trust pages for it. Sales teams ask their CISOs why the logo is missing. And because the pledge is voluntary and self-reported, the market now contains two kinds of signers: companies that signed a PDF, and companies that changed how they build software.

This guide is for the second kind, and for the buyers who need to tell the two apart. The pledge's seven goals decompose into ordinary, assignable engineering and security-program work. Most of it is design-phase work. None of it requires a press release.

What the pledge actually is

CISA published its Secure by Design guidance in April 2023, jointly with international cybersecurity partners, arguing that the burden of security should shift from customers to the vendors best positioned to remove risk at the source. In May 2024 it followed with the voluntary Secure by Design pledge: a public commitment by makers of enterprise software and services to pursue measurable progress against seven goals within a year of signing, and to be transparent about the results. Hundreds of companies have signed as of mid-2026.

Three properties matter for anyone operationalizing it. The goals are measurable: each asks for a demonstrable increase or reduction, not an aspiration. Progress is self-reported: there is no auditor, which makes published evidence the only meaningful signal. And the unit of commitment is the product portfolio, not the company: a signer is supposed to move the numbers across its products, which is what makes the work land in engineering rather than in marketing.

The seven goals, translated into work

Here is each goal as CISA frames it, the operational move behind it, and the evidence a buyer is entitled to ask for.

Pledge goalThe operational moveEvidence a buyer can ask for
1 · Multi-factor authenticationMake MFA the default, not an upsell: on by default for admins, nudged for everyone, enforced via standards like FIDO2 where the product allowsMFA adoption rate across the customer base, and the trend since signing
2 · Default passwordsEliminate shared and default credentials from setup flows; provision unique credentials or force rotation on first useThe date default passwords stopped shipping, and what legacy installs get
3 · Reduce entire classes of vulnerabilityPick a class (injection, XSS, memory unsafety), then remove it structurally: safer frameworks, paved roads, parameterized-by-default librariesWhich class was chosen, the published reduction data, and the design changes behind it
4 · Security patchesMake patching the easy path: auto-update channels, clear support windows, patches decoupled from paid upgradesPatch uptake rates and the time customers typically run unpatched
5 · Vulnerability disclosure policyPublish a VDP with safe harbor for good-faith research and a working intakeThe VDP URL, and whether reports get acknowledged and resolved
6 · Transparent vulnerability reportingTreat CVE records as documentation: timely filings with complete CWE and CPE data, including for issues found internallyRecent CVE records; check them for CWE classification and honest severity
7 · Evidence of intrusionsGive customers the logs they need to investigate, in the base tier rather than behind a premium SKUWhich audit logs exist, their retention, and what they cost

Read down the middle column and a pattern appears: not one of these moves is a security-team task in isolation. They are product decisions, framework decisions, release-engineering decisions, and pricing decisions. That is the pledge's real content: it asks the whole engineering organization to treat security outcomes as product requirements.

Where each goal actually lives

Assigning the goals to owners is where most signers stall, because the goals cut across four different layers of the organization.

Product defaults (goals 1 and 2)

MFA on by default and the end of default passwords are product-management and identity-engineering decisions, made in setup flows and provisioning code.

The design phase (goal 3)

Entire classes of vulnerability are removed in architecture and design reviews, framework choices, and paved roads, long before any scanner runs.

Release and operations (goals 4 and 7)

Patch uptake is a release-engineering problem; customer-facing audit logs are a platform decision, and a pricing decision.

Program and transparency (goals 5 and 6)

The VDP and complete CVE records belong to the security program: policy, intake, PSIRT discipline, and the willingness to document flaws honestly.

Where the seven pledge goals live in an engineering organization

The layering explains a common failure mode. Companies that hand the pledge to the security team alone make quick progress on goals 5 and 6, which the security team controls, and never move goals 1 through 4, which it does not. The signature was corporate; the work is cross-functional. If your operating model has no forum where security, product, and engineering make binding design decisions together, that forum is the actual first deliverable. This is the same gap a security design review process exists to close.

Goal 3 is the one that separates signers

Six of the seven goals can be driven by determined program management. Goal 3, reducing entire classes of vulnerability, cannot, because a vulnerability class is not a bug backlog. It is a standing consequence of design decisions: which frameworks are permitted, where raw queries are allowed, which languages new services may use, what the paved road makes easy.

Removing a class therefore means changing how designs are made, not how findings are triaged. The teams that do this well run the same loop every time: pick one class, find where the design permits it, change the default so new designs cannot express the flaw, then burn down the legacy surface on a schedule. Parameterized queries as the only database path. Output encoding built into the template layer. Memory-safe languages for new network-facing code. Each of these is a design review policy first and an engineering migration second.

This is also where the pledge quietly rewards companies that already run security as a design-phase practice. If every significant design passes through review, with threats modeled against the architecture and controls mapped before build, then "which class are we eliminating next" becomes a routine roadmap question rather than a moonshot. That standing capability is exactly what a security architecture program is for.

How buyers should read a signature

The pledge's self-reported nature is not a weakness if you ask the follow-up questions. The signature tells you a company wanted the reputational benefit; the evidence tells you whether it did the work.

Signed the PDF

  • The logo is on the trust page; the progress report is nowhere
  • MFA exists but is off by default, or gated to premium tiers
  • No vulnerability class named, no reduction data published
  • Audit logs cost extra, retention is days, export is manual
  • CVE records are sparse, late, or missing CWE data

Meant it

  • Published progress, with numbers, within a year of signing
  • MFA and unique credentials are the unconfigured default
  • A named class of vulnerability with before-and-after evidence
  • Security logs in the base tier with usable retention
  • CVE records filed promptly, classified, and honest about severity
Reading a vendor's pledge status

One caution in the other direction: absence of the logo is weak evidence. Plenty of disciplined engineering organizations never signed, and the questions in the table above work just as well on them. Ask the questions; skip the logo-scanning.

The Monday-morning moves

For a team that wants the substance with or without the signature, this is the work, ordered so the early items fund the later ones with credibility.

This month

  • Publish a vulnerability disclosure policy with safe harbor and a monitored intake
  • Set a CVE standard: file promptly, include CWE and affected-version data, apply it to internally found issues too
  • Inventory where default or shared credentials still ship, and where MFA is off by default

This quarter

  • Turn MFA on by default for administrative access in every product
  • Kill default passwords in new installs; publish the plan for existing ones
  • Move essential audit logs into the base tier and document their retention

This year

  • Pick one vulnerability class and remove its preconditions from the paved road
  • Route every significant design through a review that models threats against the architecture
  • Publish the numbers: MFA adoption, patch uptake, the class-reduction data
Operationalizing the pledge, in order of effort

The tell

A signer who means it publishes numbers that could embarrass them. MFA adoption trends, patch uptake rates, the vulnerability class they picked and how far they got: transparency about unfinished work is the strongest signal the pledge changed anything, because it is the one signal a marketing team would never fake.

The pledge as a forcing function

Treat the seven goals as a free, externally credible argument for the operating model security teams have wanted all along: product defaults decided deliberately, designs reviewed before build, classes of weakness engineered out rather than patched around, and honesty in public reporting. Signed or not, that is just what a mature engineering organization looks like.

The design-phase share of that work, the reviews, the threat models, the decisions with names attached, is what Alvor's Secure by Design module runs as a governed workflow, so the practice survives contact with a real roadmap.

Questions this guide gets asked

Is the CISA Secure by Design pledge legally binding?

No. It is a voluntary commitment, not a regulation or a contract. Signers agree to pursue measurable progress against the seven goals within a year of signing, and to be transparent about how it is going. The enforcement mechanism is reputational: the pledge is public, so a signer that shows no progress is making a statement too.

Does signing the pledge require a certification or an audit?

No. There is no assessor, no certificate, and no pass line. Progress is self-reported, which is why the pledge emphasizes radical transparency: publishing the numbers, the blog posts, and the roadmaps that let outsiders judge the work. For buyers, that self-reported nature is exactly why the follow-up questions matter more than the signature.

What is the difference between Secure by Design and Secure by Default?

Secure by Design means engineering products so that whole categories of weakness are removed or reduced during design and build. Secure by Default means the product arrives with its protective settings already on: MFA enabled, no default password, security logs included rather than sold separately. The pledge contains both ideas; goals like eliminating default passwords are default work, while reducing classes of vulnerability is design work.

Does the pledge apply to SaaS companies?

Yes. The pledge is aimed at makers of enterprise software products and services, which includes on-premises software, cloud services, and SaaS. It is not aimed at consumer products, physical devices, or custom software built under contract, though the underlying principles travel well.

How should a security team use the pledge if their company builds software but has not signed?

Use the seven goals as a free, externally credible roadmap. Each goal names a measurable outcome that would improve almost any product's posture, signed or not. Start with the two cheapest wins, a vulnerability disclosure policy and complete CVE records, then put the deeper work, MFA defaults and vulnerability class reduction, on the design-phase roadmap.

SK

Written by

Salman KhanCo-Founder & CEO, Alvor

Salman co-founded Alvor, the security and compliance platform, and leads its security architecture practice. He writes about design reviews, threat modeling, and running security programs that engineering teams don't route around.

Related in Alvor

Secure by Design

Embed security into the development lifecycle with design review workflows, threat modeling, and approval processes.

Learn more →
← All Posts
ALVOR

Security architecture, management, and compliance: connected into one source of truth.

Security, Simplified.

Platform

  • Overview
  • AI Assistant
  • Security Architecture
  • Assets
  • Components
  • Dependency Mapping
  • Data Governance
  • Secure by Design
  • Security Design Review
  • Threat Modeling
  • Risk
  • Compliance
  • Policy
  • Program
  • Business Continuity
  • TPRM

Solutions

  • Startups
  • Mid-Market
  • Enterprise

Company

  • About
  • Advisory
  • Compliance
  • Blog
  • Security
  • Pricing
  • Compare

Legal

  • Privacy
  • Cookie Policy
  • Terms
  • Disclosure

© 2026 Alvor, Inc. All rights reserved.

LinkedIn