More than 60 companies commit to the CISA Secure by Design pledge to improve software security. The voluntary initiative is discussed in comparison with the binding EU Cyber Resilience Act.
The participants of the initiative have committed to achieve significant progress within twelve months in seven areas:
- Enhanced use of multi-factor authentication
- Replacing default passwords with secure alternatives
- Reducing susceptibility to common vulnerabilities such as SQL injections
- Improving customers' installation of security patches
- Establishing a vulnerability disclosure policy
- Rapid assignment of CVE IDs to reported vulnerabilities
- Facilitating the collection of information after security incidents
Although this commitment is an important step, it remains voluntary and legally non-binding. In contrast, the European Cyber Resilience Act (CRA) promises a stronger and binding effect on industry through its regulatory measures and possible sanctions for non-compliance. Due to the size of the European single market, the CRA has a demonstrative effect that also influences American companies and can thus contribute to a higher security level worldwide.
Experience shows that, despite the good intentions behind self-commitments, binding requirements are often necessary to ensure broad and sustainable implementation of secure practices. The future of cybersecurity needs both voluntary initiatives and strict laws.
More information about the self-commitment and the concrete measures is available here: https://www.cisa.gov/securebydesign/pledge