At Everfox we believe technology must enable innovation but must never compromise security.  Our unfailing devotion to our customers and the critical missions they serve as well as our world-class approach to delivering high assurance capabilities differentiates us as a company.  That is why we are pledging today that Everfox will collaborate with Cybersecurity & Infrastructure Security Agency (CISA) and commit to working together with industry to responsibly deliver Trusted, High Assurance cybersecurity.

Today, I have signed the Cybersecurity & Infrastructure Security Agency (CISA) Secure by Design (opens a new window) pledge to formalize a companywide commitment to:

Maintaining our unrelenting focus on customer success

Delivering the most innovative and secure cross domain, threat protection, and insider risk solutions on the market.

Empowering critical organizations to use data safely, wherever and however they need it.

The origins of the Secure by Design Pledge

In April of 2023, CISA collaborated with the Federal Bureau of Investigation, National Security Agency, Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand’s Computer Emergency Response Team, United Kingdom’s National Cyber Security Centre, Germany’s Federal Office for Information Security (BSI), the Netherlands’ National Cyber Security Centre, and private sector partners to publish Security-by-Design recommendations in this guide (opens a new window).  This effort is in support of the National Cybersecurity Strategy (opens a new window), which calls for a robust collaboration between public and private sectors to provide stronger cybersecurity leadership and reduce the burden that now falls especially on smaller organizations.  The guide encourages manufactures to put cybersecurity first throughout a product’s development lifecycle to decrease user risk and provide out-of-the-box user protections by default at no extra charge. 

In the guide, CISA recommends (opens a new window) three core principles for technology manufacturers to take to build more secure by design:

First, the burden of safety should never fall solely upon the customer. Technology manufacturers must take ownership of the security outcomes for their customers.

Second, technology manufacturers should embrace radical transparency to disclose and ultimately help us better understand the scope of our consumer safety challenges, as well as a commitment to accountability for the products they bring to market. 

Third, the leaders of technology manufacturers should explicitly focus on building safe products, publishing a roadmap that lays out the company's plan for how products will be developed and updated to be both secure-by-design and secure-by-default.

The secure by design pledge is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS).   The results of the program are intended to build industry collaboration, investigate the contributing factors that resulted in a cybersecurity breach, reduce the burdens on the end consumers, and leverage data to help customers make informed decisions. 

Everfox’s Commitment

Everfox is joining other software manufactures to make a good-faith effort progress our cybersecurity program over the following year. 

We are pledging to work toward accomplishments around the 7 programs goals:

1. Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication (MFA) across the manufacturer’s products.
2. Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
3. Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
4. Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
5. Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.
6. Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.
7. Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

At Everfox, our products don’t just meet the standard security benchmarks – they surpass them. Designed with a security-first approach, our products are designed with security and customer outcomes in mind. Additionally, we perform system security assessments conducted by third-party security testing firms. One example of this, is our cross domain solution product suite, which undergoes a system security assessment conducted by the National Security Agency’s National Cross Domain Strategy and Management Office (NCDSMO).  Before deployment in an operational setting, our CDS products are thoroughly tested by the government to comply with NCDSMO’s ‘Raise the Bar’ security standards, fortifying them against the most advanced threats. We are dedicated to continuously enhancing the resilience of our products and routinely releasing patches for all our product offerings. These are just a few examples of how Everfox applies a security-first approach to our customers.  This proactive approach provides our customers reliable, high-assurance and secure solutions for their consequence missions.

Today, Everfox is committing to prioritize the Secure by Design Pledge goals and continue our mission to deliver secure, innovative, high-assurance solutions that empower our customers to operate in an ever-changing cyber landscape.  We look forward to collaborating with private and public sector organizations with this commitment to provide industry leading high assurance cybersecurity.

References:

CISA. (n.d.). Secure by design: CISA. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/securebydesign

Easterly, J. (2024, April 30). The cost of unsafe technology and what we can do about it: CISA. Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/news/cost-unsafe-technology-and-what-we-can-do-about-it

Shifting the balance of cybersecurity risk: Security-by-design and default principles: CISA. Cybersecurity and Infrastructure Security Agency. (2024, May 1). https://www.cisa.gov/news-events/alerts/2023/04/13/shifting-balance-cybersecurity-risk-security-design-and-default-principles