overview
This is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software-as-a-service (SaaS). Physical products such as IoT devices and consumer products are not covered by this pledge, but companies wishing to demonstrate progress in these areas are welcome.
By participating in this pledge, software manufacturers pledge to make a conscientious effort over the next year to achieve the goals listed below. If a software maker is able to make measurable progress toward a goal, the maker must publicly document how he achieved such progress within one year of signing the pledge. need to do it. If a software maker is unable to make measurable progress, the maker has one year after signing the pledge to report to him how the maker has been working toward its goals and the challenges it faces. You are encouraged to share with CISA. And in the spirit of radical transparency, manufacturers are encouraged to publicly document their approaches so others can learn. This pledge is voluntary and not legally binding.
This pledge consists of seven goals. Each goal has core criteria that manufacturers are committed to working towards, along with context and example approaches to achieving the goal and demonstrating measurable progress. To enable a variety of approaches, software manufacturers participating in the pledge have discretion to determine how they can best meet and demonstrate the core criteria of each goal. Demonstrating measurable progress across a manufacturer's products may include taking action on all manufacturer products or selecting a set of products to work on first and publishing a roadmap for other products. There are various shapes.
CISA recognizes and celebrates software manufacturers that have already met or exceeded these goals. If software makers have already met or exceeded their goals, they should publicly explain their progress. In these cases, CISA welcomes further efforts to exceed the goals of the pledge.
This pledge seeks to complement and build on existing software security best practices, including those developed by CISA, NIST, and other federal agencies, as well as international and industry best practices. . CISA continues to support the adoption of complementary measures that promote a secure-by-design posture.
