I was at the RSA Conference and feeling hopeful back in 2024 when then CISA director Jen Easterly personally rolled out Secure By Design, a federal program aimed at getting vendors to pledge they would “measurably increase” things like enforcing MFA and patching vulnerabilities.

A lot, needless to say, has changed since then, especially in the past year. For one thing, Easterly resigned last January. For another, the person nominated by the Trump Administration to replace her has yet to receive Senate confirmation. And for a third, Secure By Design doesn’t appear to be much of a priority in Washington anymore.

“I’ve not heard from my contacts in the Secure By Design team in this calendar year,” said Chester Wisniewski (pictured), director of global field CISO at inaugural Secure By Design signatory Sophos, last month. “CISA’s not focusing on this anymore.”

That said, over 300 companies have joined Sophos in taking the pledge since its introduction, and not just “small-time players,” Wisniewski observes. “It’s Microsoft. It’s Cisco. It’s Palo Alto. It’s all of the heavy hitters, which is who you want to have on board.”

Moreover, there’s been progress by vendors on clearing the pretty low standards Secure By Design set two years ago. Buy yourself a router at Best Buy for example, Wisniewski notes, and it probably won’t come with a default password anymore. “That minimum bar, to me, is not nearly high enough,” Wisniewski says, “but raising that minimum bar really does matter.”

The question, however, is whether Secure By Design deserves any of the credit for accomplishments like that. Chris Henderson is skeptical.

“I’m in a group with about 1,500 other CISOs, and it is very rarely discussed,” says Henderson, chief information security officer at inaugural pledge signer Huntress (which has had Easterly on its strategic advisory board since August). Secure By Design has raised awareness of measures every software maker should have had in place long ago, he continues, and that’s not nothing. But how much impact the program has had beyond that is hard to say.

“I think what you’re seeing are the companies that signed it had pre-existing practices in place that made it a relatively low lift in order to meet some of the principles of the pledge, as opposed to companies that are lacking in some of these using this as a pledge to drive changes within their organization,” Henderson says.

Still, while a lot of companies may not have thought much about Secure By Design since signing it, 40 signatories have taken it seriously enough to issue progress reports. Sophos is one of them, and Wisniewski’s pretty sure the company’s commitment to the program (which it calls out in product announcements these days) is paying off.

“I think it’s a genuine competitive advantage for us,” he says. “We certainly are winning business by having done this.”

All the more reason, perhaps, for the hundreds of signers that are not serious about Secure By Design and the thousands of vendors that never signed at all to consider embracing the program’s relatively simple best practices even if CISA itself has lost interest in promoting them.

Share