CISA’s Secure by Design pledge transforms cybersecurity approaches through seven core pillars. As Cyber threats continue to evolve at an unprecedented pace, the framework shifts security from an afterthought to a foundational element built into technology from inception.
As a pioneer in providing the Enterprise Security Risk Posture Management solutions for real-time monitoring of Digital Trust, DigitalXForce proudly embraces CISA’s Secure by Design pledge, reinforcing our commitment to building security and privacy into the very fabric of digital transformation.
Understanding CISA’s Secure-by-Design Pledge
On May 8, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took a landmark step by introducing the Secure by Design pledge – a comprehensive framework aimed at transforming how organizations approach cybersecurity. This visionary initiative represents more than just a set of guidelines; it’s a fundamental shift in how we think about security.
The CISA Secure by Design pledge establishes seven fundamental pillars that form the backbone of robust cybersecurity:
- Enforcing multi-factor authentication (MFA)
- Eliminating default passwords
- Reducing entire categories of vulnerabilities
- Ensuring rapid deployment of security patches
- Establishing clear vulnerability disclosure policies
- Properly managing and addressing CVEs
- Enhancing detection of cyber intrusions
Our Secure-by-Design Commitment through Digital Trust
At DigitalXForce, our mission is to provide “Digital Trust Inside Out” – where Cybersecurity controls should be implemented by design and continuously monitored. This mission perfectly aligns with CISA’s Secure by Design initiative, as we believe that true digital trust can only be achieved through a comprehensive, security-first approach.
Our platform was built from the ground up following NIST 800-53 and NIST CSF frameworks, ensuring that security is embedded across all aspects of our solution.
By joining this initiative, DigitalXForce commits to continue:
- designing security into our products from the ground up to build Digital Trust
- maintaining transparency and driving continuous security improvements
- taking full accountability for the resilience of the technologies we develop and deliver
We are proud to share how our platform incorporates and extends beyond the seven core pillars of CISA’s Secure by Design framework.
- MULTI-FACTOR AUTHENTICATION (MFA)
GOAL: Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
Our Approach: MFA is enabled as a default and non-negotiable authentication feature across DigitalXForce platform.
- ELIMINATING DEFAULT PASSWORDS
GOAL: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
Our Approach: As per the built-in design requirement, our customers must create unique, strong credentials during initial setup of the platform.. Password must contain minimum 12 characters including uppercase and special character to ensure optimal strength. MFA is mandatory for all credentials with access to the platform.
- REDUCING ENTIRE CLASSES OF VULNERABILITY
GOAL: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
CONTEXT: The vast majority of exploited vulnerabilities today are due to classes of vulnerabilities that can often be prevented at scale. Examples include SQL injection, cross-site scripting, and memory safety vulnerabilities, as detailed below. An effective way that software manufacturers can reduce risk for their customers is by working to reduce classes of vulnerabilities at scale across their products. Software manufacturers can pick one or more vulnerability classes for the pledge that they work to reduce over the course of the year. For more information on vulnerability classes that can be prevented at scale, see CISA’s Secure by Design Alert series.
Example approaches towards achieving this goal:
- Consistently enforcing the use of parametrized queries to prevent SQL injection attacks.
- Adopting web template frameworks with built-in protection against cross-site scripting vulnerabilities.
- Developing a memory safe roadmap to transition to memory safe languages in a prioritized approach and writing new products in memory safe languages.
- Providing secure defaults for developers, such as by providing “building blocks” of secure functions and libraries that make it impossible (or significantly more difficult) to introduce a certain class of vulnerability.
Examples of demonstrating measurable progress:
- Publishing a blog on how the manufacturer has worked in the past year to significantly reduce the prevalence of one or more classes of vulnerability. This may include analysis of the root cause (CWE) of CVEs over time in the manufacturer’s products. CISA notes that successfully achieving this goal may actually lead to a short-term increase in CVEs as the manufacturer works to reduce that class of vulnerability — this should be regarded as a success if that class of vulnerability is reduced over the long run.
- Publishing a memory safety roadmap, or a similar roadmap for other classes of vulnerability.
Our Approach – We employ a secure SDLC shift-left approach, integrating industry standards to proactively address top vulnerability classes during development. Rigorous penetration testing validates these measures, and recurring vulnerabilities are analyzed to implement root-cause solutions, ensuring robust security.
- SECURITY PATCHES
GOAL: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
Our approach: As a SaaS provider, we will continue to apply patches for the DigitalXForce platform so that the burden is not on customers to patch. Customers must continue to patch the vm installed in their environment for system-specific vulnerabilities.
We pledge to continue maintaining unwavering vigilance through comprehensive, real-time monitoring and automated security management to provide LIVE security updates.
This includes:
- Automated patch management
- Continuous security control testing
- Real-time vulnerability assessment
- Integrated risk management with automated updates
- VULNERABILITY DISCLOSURE POLICY
GOAL: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
Our Pledge: Recognizing the value of community collaboration, we pledge to launch a comprehensive vulnerability disclosure program by the end of Q3 2025. Until then, we encourage responsible disclosure through our security contact channels and commit to handle all good-faith research with respect and diligence.
- CVES
GOAL: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
Our Approach: We do not currently publish CVEs for our hosted SaaS products. We believe this aligns with standard industry practice.
- EVIDENCE OF INTRUSIONS
GOAL: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.
Our Approach: As a SaaS solution provider, we maintain 24×7 monitoring to detect any signs of intrusions in the platform and address them proactively. We provide the capability for forwarding of relevant audit logs to the customer’s SIEM for correlation and monitoring.
We pledge to lead the way for building digital trust
As cyber threats continue to evolve, the importance of Secure by Design principles becomes increasingly critical. DigitalXForce remains committed to leading the way in implementing and advancing these principles, helping organizations build robust and measurable digital trust from the inside out.
We invite organizations to join us in this commitment to security-first design, where cybersecurity isn’t just a feature – it’s the foundation of digital transformation.
