F5’s Commitment to CISA Secure by Design: Measurable Security Outcomes & Lower Operational Risk

Secure By Design Pledge

The CISA Secure by Design Pledge is a voluntary commitment for enterprise software products and services (on-premises, cloud services, and SaaS). As a signatory, F5 commits to making a good-faith effort to work toward these seven goals:

• Measurably increase MFA usage
• Reduce default passwords
• Reduce entire classes of vulnerability (not just individual issues)
• Increase customer installation of security patches
• Publish a Vulnerability Disclosure Policy (VDP) that authorizes good-faith testing, provides a clear reporting channel, and aligns to coordinated disclosure best practices
• Improve CVE transparency, including accurate CWE and CPE fields, and timely issuance—especially for critical/high-impact issues
• Increase evidence of intrusions, improving customers’ ability to gather proof of cybersecurity intrusions affecting products

Complex Modern Environments

Modern enterprises are operating in pervasive complexity: multi-cloud environments, expanded tooling, and growing operational burden. In that reality, security cannot depend on perfect configuration or best-effort processes—it must be designed into products and services. For CIOs and CISOs, the CISA Secure by Design Pledge is valuable because it emphasizes measurable outcomes that reduce operational risk: increase MFA adoption, limit or eliminate default passwords, reduce entire vulnerability classes, boost customer patch installations, provide clearer vulnerability disclosure, increase transparency for CVE records, and improve ability to gather evidence of intrusions. At F5, these outcomes align with how we already handle vulnerability intake, scoring, disclosure, and customer communication.

The F5 Portfolio

F5’s portfolio is designed to solve customers’ toughest hybrid and multicloud pain points. But that value only holds if it is delivered with strong security controls. The pledge reinforces a baseline of security our customers and partners should already expect—especially as security leaders face growing pressure to demonstrate control effectiveness, not just intention. For CIOs and CISOs, these commitments map to tangible risk reduction and operational efficiency: fewer preventable exposures, faster remediation, clearer governance, and stronger audit and incident readiness.

Secure By Design

Secure by Design is about shifting security “left” into the product and service experience—so that your teams spend less time compensating for weak defaults and more time driving business outcomes.

Secure by Design requires predictable, disciplined security operations that customers can integrate into their own risk- and change-management cycles. F5 discloses vulnerabilities and security exposures via a scheduled Quarterly Security Notification (QSN) process. When needed to protect customer systems, F5 may issue Security Alerts outside that cadence. F5 investigates and prioritizes reports based on potential exploitability and communicates impact using CVSS v3.1 severity categories. F5 assigns CVE identifiers and publishes security advisories for all severity levels.

Portfolio History

Starting with the August 2024 Quarterly Security Notification, F5 also provides a CVSS v4.0 base score for first-party issues (shown alongside CVSS v3.1). For third-party issues, F5 continues with CVSS v3.1 while building experience with CVSS v4.0. For CIOs and CISOs, this matters because it enables repeatable internal motions: patch windows, risk acceptance processes, exception handling, and audit-ready documentation.

Summary

Secure by Design is about lowering enterprise risk while reducing the operational cost of security: fewer risky defaults to hunt down, fewer recurring vulnerability patterns, clearer disclosure processes, faster patch adoption, and better evidence when investigating incidents. By implementing the principles laid out in CISA’s Secure by Design Pledge, F5 is reinforcing that these are not aspirational principles—they are outcomes we intend to drive and make measurable across our products and services, so customers can operate with confidence in the complex hybrid and multi-cloud environments they depend on.

F5 security vulnerability response policy: https://my.f5.com/manage/s/article/K4602

CISA Secure by Design Pledge: https://www.cisa.gov/securebydesign/pledge