K-12 Education Technology Secure by Design Pledge

Overview

This is a voluntary pledge for K-12 Education Technology software manufacturers, in line with CISA’s Secure by Design whitepaper. By participating in this pledge, manufacturers are pledging publicly to the following actions:

Row of cybersecurity icons outlining the three principles of Secure by design pledge

icon of hands reaching for a shield with padlock

Principle 1: Take Ownership of Customer Security Outcomes

Single Sign On (SSO) at no extra charge. As SSO can enable greater security by reducing password-based attacks, manufacturers should allow all customers to configure standards-based SSO.
- Goal: no later than 6 months after signing the pledge, customers may configure standards-based SSO at no additional charge.
Security audit logs at no extra charge. Security audit logs necessary for monitoring and responding to cybersecurity incidents should be provided at no additional charge to schools.
- Goal: no later than 6 months after signing the pledge, security audit logs are provided to customers at no additional charge.

icon of group of people surrounding a key in a digital circle

Principle 2: Embrace Radical Transparency and Accountability

Publish a Secure by Design roadmap. Document how you are making changes to your SDLC to improve customer security, including actions taken to eliminate entire classes of vulnerabilities (e.g. by usage of memory-safe languages, parametrized queries, and web template frameworks). Include detail on how you are updating your hiring, training, code review, and other internal development processes to do so. The roadmap should also outline how the manufacturer plans to nudge all users, including students, towards MFA, with the understanding that students may not possess a mobile device traditionally used for MFA (other authentication options, such as passkeys, should be considered).
- Goal: no later than 6 months after signing the pledge, the Secure by Design roadmap is published on the manufacturer’s website.
Publish a vulnerability disclosure policy. Publish a vulnerability disclosure policy that (1) authorizes testing against all products offered by the manufacturer, (2) provides legal safe harbor that authorizes testing under the policy, and (3) allows public disclosure of vulnerabilities after a set timeline. Manufacturers should perform root-cause analysis of discovered vulnerabilities and, to the greatest extent feasible, take actions to eliminate root cause vulnerability classes in line with the Secure by Design roadmap.
- Goal: no later than 3 months after signing the pledge, the manufacturer has published a vulnerability disclosure policy on its website that adheres to the above criteria.
Embrace vulnerability transparency. Ensure that product CVE entries are correct and complete, including a CWE field that identifies the root cause of the vulnerability.
- Goal: no later than 3 months after signing the pledge, all new CVEs published by the manufacturer include complete details on the vulnerability and have a properly-assigned CWE tag for the vulnerability’s root cause.
Publish security-relevant statistics and trends. This may include aggregated statistics of MFA adoption of customers and administrators, and use of unsafe legacy protocols.
- Goal: no later than 6 months after signing the pledge, security statistics and trends are published on the manufacturer’s website.

Principle 3: Lead from the Top

Publicly name a top business leader (not the CTO or CISO) who is responsible for security. This individual should be responsible for managing the process of integrating security and quality as a core function of the business, including the development and implementation of the Secure by Design roadmap.
- Goal: no later than 3 months after signing the pledge, the manufacturer has publicly named a top business leader responsible for security.

Graphic for K12 Education Technology Secure by Design Pledge

Take the Pledge Today!

If you are a K-12 education technology vendor and would like to join the pledge, please email us at SecureByDesign@cisa.dhs.gov.

Signatories

At ClassLink, privacy and security are at the core of everything we do. Today, we reaffirm our commitment to supporting schools in their journey towards a safe and thriving digital learning environment. We are honored to stand alongside the CISA and the Department of Education in making the pledge.

Berj Akian

CEO, ClassLink

Our pledge commitments that we made are part of our ongoing efforts to help our customers and partners mitigate cybersecurity threats. Together, we can work to protect our K-12 schools, educators, students, and their families, freeing them to focus on what matters most: teaching and learning.

John Baker

CEO, D2L

We are proud to sign the Secure by Design pledge, joining CISA and other edtech organizations committed to strengthening cybersecurity in K-12 schools.

Trish Sparks

Clever CEO

We are honored to be a part of the CISA Secure by Design pledge and provide free and subsidized cybersecurity tools and resources for U.S. districts.

Hardeep Gulati

PowerSchool CEO

At Focus School Software, we are dedicated to the privacy and security of student data; privacy and security are our most important priorities, our approach is to do things the right way without shortcuts.

Andrew Schmadeke

Focus School Software CEO

Disclaimer

CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services referenced or linked to on this page. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

The Secure by Design K-12 pledge is a voluntary pledge. CISA does not enforce nor verify adherence to the pledge.