CISA Launches Secure by Design Pledge with 6 Ed Tech Vendors

  • By Kristal Kuykendall
  • 09/07/23

The Cybersecurity and Infrastructure Security Agency has launched a voluntary pledge for K–12 education technology software makers to “commit to designing products with greater security built in,” the agency said in a news release. 

The new program was unveiled with commitments already in place from six of the industry’s most-recognized names, including PowerSchoolClasslinkCleverGG4LInstructure, and D2L.

The pledge includes specific, “publicly measurable outcomes that the companies are committing to as they develop their roadmaps toward adhering to Secure by Design principles,” CISA said.

The Secure by Design principles are spelled out in a guide published earlier this year on CISA’s website; they include the following three principles:

  1. Take ownership of customer security outcomes

  2. Embrace radical transparency and accountability

  3. Lead from the top by making secure technology a key priority for company leadership

“We need to address K–12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA Director Jen Easterly. “I want to thank Classlink, Clever, D2L, GG4L, Instructure, and PowerSchool who have already signed this pledge and for their leadership in this area. We need all K–12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”

Learn more about the pledge, view signatories, or contact CISA to add an ed tech vendor to the pledge at CISA.gov/K–12-education-technology-secure-design-pledge.

The Text of CISA’s Secure By Design Principles 

Principle 1: Take Ownership of Customer Security Outcomes

  1. Single Sign On (SSO) at no extra charge. As SSO can enable greater security by reducing password-based attacks, manufacturers should allow all customers to configure standards-based SSO.

    1. Goal: no later than 6 months after the summit, customers may configure standards-based SSO at no additional charge.

  2. Security audit logs at no extra charge. Security audit logs necessary for monitoring and responding to cybersecurity incidents should be provided at no additional charge to schools.

    1. Goal: no later than 6 months after the summit, security audit logs are provided to customers at no additional charge.

Principle 2: Embrace Radical Transparency and Accountability

  1. Publish a Secure by Design roadmap. Document how you are making changes to your SDLC to improve customer security, including actions taken to eliminate entire classes of vulnerabilities (e.g. by usage of memory-safe languages, parametrized queries, and web template frameworks). Include detail on how you are updating your hiring, training, code review, and other internal development processes to do so. The roadmap should also outline how the manufacturer plans to nudge all users, including students, towards MFA, with the understanding that students may not possess a mobile device traditionally used for MFA (other authentication options, such as passkeys, should be considered).

    1. Goal: no later than 6 months after the summit, the Secure by Design roadmap is published on the manufacturer’s website.

  2. Publish a vulnerability disclosure policy. Publish a vulnerability disclosure policy that (1) authorizes testing against all products offered by the manufacturer, (2) provides legal safe harbor that authorizes testing under the policy, and (3) allows public disclosure of vulnerabilities after a set timeline. Manufacturers should perform root-cause analysis of discovered vulnerabilities and, to the greatest extent feasible, take actions to eliminate root cause vulnerability classes in line with the Secure by Design roadmap.

    1. Goal: no later than 3 months after the summit, the manufacturer has published a vulnerability disclosure policy on its website that adheres to the above criteria.

  3. Embrace vulnerability transparency. Ensure that product CVE entries are correct and complete, including a CWE field that identifies the root cause of the vulnerability.

    1. Goal: no later than 3 months after the summit, all new CVEs published by the manufacturer include complete details on the vulnerability and have a properly-assigned CWE tag for the vulnerability’s root cause.

  4. Publish security-relevant statistics and trends. This may include aggregated statistics of MFA adoption of customers and administrators, and use of unsafe legacy protocols.

    1. Goal: no later than 6 months after the summit, security statistics and trends are published on the manufacturer’s website.

Principle 3: Lead from the Top

  1. Publicly name a top business leader (not the CTO or CISO) who is responsible for security. This individual should be responsible for managing the process of integrating security and quality as a core function of the business, including the development and implementation of the Secure by Design roadmap.

    1. Goal: no later than 3 months after the summit, the manufacturer has publicly named a top business leader responsible for security.

For more information, email [email protected].


About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • teacher and children working with a LEGO Education Science kit

    LEGO Education Debuts Science Kits for Hands-on Learning

    LEGO Education has announced a new learning solution to engage students in hands-on science learning. Available in three kits by grade band, LEGO Education Science provides 120-plus standards-aligned science lessons, teacher materials, and select LEGO bricks and hardware.

  • school building split in half, with one side collapsing into a dark hole

    Office of Educational Technology, National Center for Education Statistics Fall Victim to ED Cuts

    The U.S. Department of Education has announced cuts of nearly half of its staff, numbering more than 1,300 workers, according to AP reporting. While official details on the cuts are not available, early commentary on LinkedIn has revealed drastic cuts in the areas of educational technology and data.

  • Two digital hands made of interconnected lines and nodes shaking hands firmly against a minimal technological background

    IBM to Acquire AI and Data Solutions Provider DataStax

    IBM has announced the planned acquisition AI and data solutions provider DataStax, in a move aimed at enhancing its watsonx portfolio and advancing generative artificial intelligence (AI) capabilities for enterprises.

  • zSpace Imagine Learning Solution

    zSpace Debuts Headset-Free AR/VR System

    Immersive learning company zSpace has announced the zSpace Imagine Learning Solution, a headset-free AR/VR laptop system designed for elementary education. The all-in-one platform integrates hardware, software, and hands-on lessons to create dynamic learning experiences for young students.