The Cybersecurity and Infrastructure Security Agency (CISA) wants K-12 education software developers to voluntarily sign a pledge to commit to designing products with stronger security baked in.
By signing the pledge, education software developers would vow to adhere to the following three principles:
- Take ownership of customer security outcomes
- Embrace radical transparency and accountability
- Lead from the top
As of September 1, six education software providers have committed to the program, including:
- PowerSchool, a Folsom, California developer of cloud-based, student information solutions
- Classlink, a Clifton, New Jersey company that makes identity and access management products
- Clever, a San Francisco specialist in secure single sign on technology
- GG4L, an Alameda, California firm with a secure, private data exchange for the education ecosystem
- Instructure, a Salt Lake City, Utah developer of a web-based learning management system
- D2L, a Kitchener, Ontario, Canada company offering an online learning and teaching platform
“We need to address K-12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA Director Jen Easterly. “I want to thank Classlink, Clever, D2L, GG4L, Instructure, and PowerSchool who have already signed this pledge and for their leadership in this area. We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”
What CISA Asks of Software Developers
Here are more details on the three principles: (per CISA)
Principle 1: Take Ownership of Customer Security Outcomes.
- Single Sign On (SSO) at no extra charge. Manufacturers should allow all customers to configure standards-based SSO.
- Goal: No later than 6 months after the summit, customers may configure standards-based SSO at no additional charge.
- Security audit logs at no extra charge. Security audit logs necessary for monitoring and responding to cybersecurity incidents should be provided at no additional charge to schools.
- Goal: No later than 6 months after the summit, security audit logs are provided to customers at no additional charge.
Principle 2: Embrace Radical Transparency and Accountability.
- Publish a Secure by Design roadmap. Document how you are making changes to your software development life cycle (SDLC) to improve customer security, including actions taken to eliminate entire classes of vulnerabilities (e.g. by usage of memory-safe languages, parametrized queries, and web template frameworks).
- Include detail on how you are updating your hiring, training, code review, and other internal development processes to do so. The roadmap should also outline how the manufacturer plans to urge all users, including students, towards multi-factor authentication (MFA), with the understanding that students may not possess a mobile device traditionally used for MFA (other authentication options, such as passkeys, should be considered).
- Goal: no later than 6 months after the summit, the Secure by Design roadmap is published on the manufacturer’s website.
- Authorize testing against all products offered by the manufacturer.
- Provide legal safe harbor that authorizes testing under the policy.
- Allow public disclosure of vulnerabilities after a set timeline.
- Manufacturers should perform root-cause analysis of discovered vulnerabilities and, to the greatest extent feasible, take actions to eliminate root cause vulnerability classes in line with the Secure by Design roadmap.
- Goal: no later than 3 months after the summit, the manufacturer has published a vulnerability disclosure policy on its website that adheres to the above criteria.
- Embrace vulnerability transparency. Ensure that product CVE entries are correct and complete, including a CWE field that identifies the root cause of the vulnerability.
- Goal: no later than three months after the summit, all new CVEs published by the manufacturer include complete details on the vulnerability and have a properly-assigned CWE tag for the vulnerability’s root cause.
- Publish security-relevant statistics and trends. This may include aggregated statistics of MFA adoption of customers and administrators, and use of unsafe legacy protocols.
- Goal: no later than 6 months after the summit, security statistics and trends are published on the manufacturer’s website.
Principle 3: Lead from the Top.
- Publicly name a top business leader (not the CTO or CISO) who is responsible for security. This individual should be responsible for managing the process of integrating security and quality as a core function of the business, including the development and implementation of the Secure by Design roadmap.
- Goal: no later than three months after the summit, the manufacturer has publicly named a top business leader responsible for security.