WatchGuard Blog

Secure-by-Design and -Default: How WatchGuard Fulfills CISA’s New Guidance

CISA and its counterparts around the world have published new guidance advising technology manufacturers to prioritize Secure-by-Design and Secure-by-Default in all product design and development processes, and urging customers to hold them accountable for doing so.

The move seeks to address an ongoing issue. For far too long, businesses have been forced to shoulder the liability for cyberattacks and data breaches caused by the insecure technology they’ve adopted. Meanwhile, vendors themselves sidestep responsibility for security gaps in their products and services with liability waivers and unfair terms and conditions provisions. This leaves administrators with the obligation to ensure their purchases are properly hardened against attacks (and alone on the hook when that hardening fails).

CISA’s new guidance encourages manufacturers to quickly adopt Secure-by-Design principles (to build their products in a way that reasonably protects against threat actors) and Secure-by-Default configurations (to implement secure configuration as the default). The guidance aims to transfer most of the burden of secure configuration and product vulnerabilities from customers to tech providers who are better equipped to address them.

This proposed shift in the balance of responsibility for cybersecurity risk is entirely voluntary today, but the document is a harbinger of new regulatory requirements on the horizon. In fact, Section 3 within the White House’s recently released National Cyber Security Strategy acknowledges that vendors shipping products with insecure default configurations or vulnerabilities is one of the primary causes of security incidents, and lays out a vision to shift liability to manufacturers. You can learn more about the details of the complete strategy here

WatchGuard’s Secure-by-Design, Secure-by-Default Approach

Accountability is a core value at WatchGuard, and we’ve always believed that the burden of security belongs with the technology manufacturer. We are glad – but not surprised – to see the onus moving in this direction. Secure-by-Design and -Default policies have been and will continue to be a primary focus within our product design and development process. Let’s take a look at some examples:


  • ISO 27001 Certification – We’ve gone through the rigorous design, development, and auditing processes required to achieve an ISO 27001 Certification for WatchGuard Cloud, which proves that WatchGuard meets the highest international standards for information security management systems. 
  • Secure Software Development Lifecycle – As part of our commitment to secure design, WatchGuard adheres to strict internal policies for proactively testing our products and services before and after release to accurately identify and quickly resolve vulnerabilities.
  • CVE Certified Numbering Authority (CNA) Status – We’ve worked with the CVE program secretariat MITRE to become a CVE Certified Numbering Authority to ensure WatchGuard can quickly and directly assign CVE IDs and publish critical information for any vulnerabilities that we or external researchers identify within our products and services.
  • Bug Bounty Program – WatchGuard maintains an active private bug bounty program and public external vulnerability reporting channel in order to leverage the broader security community’s expertise in proactively identifying and mitigating product vulnerabilities. Learn more about how we handle product vulnerabilities here.


  • Leveraging Simplicity for Security Optimization – WatchGuard is committed to delivering simplified enterprise-grade security solutions for organizations of all types and sizes. As part of this, we ensure that our Firebox products and WatchGuard Cloud security services include default configurations optimized for security.
  • Requiring Strong Passwords – From our Firebox security appliances to our secure access points, all WatchGuard products require customers to change from default passwords to strong, unique passwords as another critical measure to eliminate potential security incidents.
  • Built-In Hardening for Endpoint Security – The default operating state for WatchGuard Endpoint Security solutions is hardening mode, using our Zero-Trust Application Service to prevent anything users download from untrusted locations like the Internet from running until it is confirmed good by our 100% attestation process.
  • MFA Support – WatchGuard supports multi-factor authentication (MFA) for all Firebox user accounts, including management, non-management, and VPN access, as well as WatchGuard Cloud access.
  • WatchGuard is constantly looking for ways to harden our products by default, including regularly updating default configurations and adding additional notifications where insecure configurations are identified.

Guidance for Customers

As a cybersecurity technology customer, the new guidance from CISA should ignite a new focus on holding manufacturers accountable for the security of their products. Now is the time to establish policies that require your teams to assess tech providers’ security posture as part of your vendor selection process. Organize a plan to ensure you adopt products that are Secure-by-Design and Secure-by-Default. And don’t forget to partner with your IT suppliers to reinforce the importance of these policies.

You shouldn’t have to bear the burden of security alone but until emerging regulatory requirements shift liability to vendors, using your voice and your wallet to move the needle is the safest path forward.

Visit our Trust Center to learn more about policies and processes that ensure WatchGuard’s products are both Secure-by-Design and Secure-by-Default.

Share this: