CISA Secure By Design Pledge

Overview

This is a voluntary pledge for K-12 Education Technology software manufacturers, in line with CISA’s Secure by Design whitepaper. By participating in this pledge, manufacturers are pledging publicly to the following actions:

See how Identity Automation fulfills this pledge.

Principle 1: Take Ownership of Customer Security Outcomes

1. Single Sign On (SSO) at no extra charge. As SSO can enable greater security by reducing password-based attacks, manufacturers should allow all customers to configure standards-based SSO.

   • Goal: no later than 6 months after signing the pledge, customers may configure standards-based SSO at no additional charge.

   • Outcome: RapidIdentity customers have always had the ability to configure standards-based SSO using a variety of methods including: SAML, OIDC, Password Vaulting, etc. at no extra cost. 

2. Security audit logs at no extra charge. Security audit logs necessary for monitoring and responding to cybersecurity incidents should be provided at no additional charge to schools.

   • Goal: no later than 6 months after signing the pledge, security audit logs are provided to customers at no additional charge.

   • Outcome: RapidIdentity customers have always had  the ability to access security audit logs at no additional charge.

Principle 2: Embrace Radical Transparency and Accountability

1. Publish a Secure by Design roadmap. Document how you are making changes to your SDLC to improve customer security, including actions taken to eliminate entire classes of vulnerabilities (e.g. by usage of memory-safe languages, parameterized queries, and web template frameworks). Include detail on how you are updating your hiring, training, code review, and other internal development processes to do so. The roadmap should also outline how the manufacturer plans to nudge all users, including students, towards MFA, with the understanding that students may not possess a mobile device traditionally used for MFA (other authentication options, such as passkeys, should be considered).

   • Goal: no later than 6 months after signing the pledge, the Secure by Design roadmap is published on the manufacturer’s website.

   • Outcome: 2024 Roadmap

   • Q1 2024

     • Increased dedicated security engineers

     • Additional authentication parity for Windows Authentication client

2. Q2 2024

   • Achieved TX-RAMP Level 2 Certification

   • Added Claim Account Exponential Backoff

3. 2H 2024 (Forecasted)

   • Password Vaulting

   • WebAuthN FIDO Support

   • Windows Authentication Client Offline Support

   • Kerberos support for Windows Authentication Client

2. Publish a vulnerability disclosure policy. Publish a vulnerability disclosure policy that (1) authorizes testing against all products offered by the manufacturer, (2) provides legal safe harbor that authorizes testing under the policy, and (3) allows public disclosure of vulnerabilities after a set timeline. Manufacturers should perform root-cause analysis of discovered vulnerabilities and, to the greatest extent feasible, take actions to eliminate root-cause vulnerability classes in line with the Secure by Design roadmap.

• Goal: no later than 3 months after signing the pledge, the manufacturer has published a vulnerability disclosure policy on its website that adheres to the above criteria.

• Outcome: Identity Automations’ vulnerability disclosure policy allows for:

• Authorization of testing against all products offered

• Allows public disclosure of vulnerabilities after 90 days after resolution by Identity Automation

• Supports the elimination of root cause of vulnerability classes when remediating issues

3. Embrace vulnerability transparency. Ensure that product CVE entries are correct and complete, including a CWE field that identifies the root cause of the vulnerability.

• Goal: no later than 3 months after signing the pledge, all new CVEs published by the manufacturer include complete details on the vulnerability and have a properly-assigned CWE tag for the vulnerability’s root cause.

• Outcome: As of July 1st, 2024 Identity Automation publishes all vulnerabilities with appropriate CVEs and CWE tags.

4. Publish security-relevant statistics and trends. This may include aggregated statistics of MFA adoption of customers and administrators, and use of unsafe legacy protocols.

• Goal: no later than 6 months after signing the pledge, security statistics and trends are published on the manufacturer’s website.

• Outcome: Within the last 90 days, RapidIdentity PhishID has been:

  • Deployed across 209K named users

  • Scanned 912K login pages

  • Intercepted 1563 novel phishing attempts