CHELMSFORD, Mass. — Axis Communications, a global provider of network video products, has joined the U.S. Cybersecurity & Infrastructure Security Agency’s Secure by Design pledge. The company will publicly report on the security measures and posture of its products to help customers understand and trust their deployments.
CISA’s voluntary initiative calls on manufacturers to treat customer protection as a core business principle by addressing key aspects of cybersecurity, including:
- Multi-factor authentication to secure device and user access.
- Limiting vulnerability types through secure coding and configuration.
- Simplified installation of software updates and security patches.
- A publicly published vulnerability disclosure policy.
- Transparent reporting of discovered security flaws.
- Measurable improvements in customers’ ability to collect intrusion evidence.
The pledge aims to strengthen industry standards and enhance transparency in security practices.
“CISA’s Secure by Design pledge aligns well with our goal of making cybersecurity a core part of what we offer,” says Johan Paulsson, chief technology officer of Axis Communications. “By making this pledge, we affirm our continuous commitment to helping customers follow cybersecurity best practices and drive greater accountability in the physical security industry.”
Axis describes how it plans to implement these requirements across its portfolio, from AXIS OS network devices and management software to cloud-based services such as Axis Cloud Connect.
Axis security teams enforce best practices at every phase of software development under the Axis Security Development Model. Engineers begin with threat modeling during design and follow up with secure coding guidelines, automated static and dynamic code analysis, and manual code reviews. Prior to release, independent security firms conduct penetration tests and red-team simulations. Public bug bounty programs reward external researchers for responsibly disclosing vulnerabilities, and a streamlined reporting system routes issues to the Axis Product Security Team. Continuous monitoring and periodic audits further reinforce protection across each product update.
Axis serves as a CVE Numbering Authority, allowing it to assign identifiers and publish patches promptly. The company’s vulnerability management policy defines clear timelines for acknowledging reports and coordinating fixes with researchers. All fixes and advisories appear on the Axis Trust Center, a public portal offering detailed security and compliance resources for AXIS OS-based network devices, video management software and more. Plans call for expanding Trust Center coverage to all Axis products and services.
AXIS OS powers a broad suite of IP-based cameras, intercoms, loudspeakers and access control units. Each device ships without default credentials and supports multi-factor authentication via centralized identity and access management solutions. Factory settings rely on zero-trust networking, which secures device verification and onboarding. Compliance with IEEE 802.1X and IEEE 802.1AR means products authenticate using hardware-backed secure device identities. Devices integrate protocols such as SNMP v3 and ONVIF for scalable network management and interoperability with third-party systems.
Network-level encryption is enforced through IEEE 802.1AE MACsec to protect time-sensitive protocols such as NTP and DHCP. AXIS OS double-encrypts secure communications, including HTTPS and other TLS-based streams. On the hardware front, devices feature secure key storage modules certified to FIPS 140-3 Level 3 and Common Criteria EAL6+, defending cryptographic material even under physical attack scenarios.
The AXIS Camera Station family includes the Pro and Edge editions of video management software. Both secure links between cameras and clients—smartphones, tablets, browsers or PCs—with 256-bit AES encryption via Axis Secure Remote Access v2. Client-server connections use 256-bit AES and TLS 1.2 or higher. The applications support role-based access and granular controls to restrict functionality per user or group.
AXIS Camera Station Pro offers password protection using local or Windows Active Directory credentials. The Edge edition adds two-factor authentication. Pro offers real-time alarms, event logging and audit trails, letting operators receive instant notifications and track every action on the system. Audit reports help maintain accountability and support compliance with internal policies or external regulations.
Axis Device Manager, Device Manager Edge and Device Manager Extend deliver centralized tools for firmware updates and security hardening across thousands of devices. Feature sets include automated TLS certificate provisioning, scheduled or on-demand software rollouts, and configuration backup and restore to reduce manual errors. Administrators can apply group-based policies, manage password rules, manage HTTPS and IEEE 802.1X services, and monitor device health—all from a unified console or via integration with third-party management platforms.
Axis Cloud Connect is an open, hybrid cloud platform that lets customers and integration partners manage Axis devices remotely. The service automates delivery of firmware and security patches, reducing operational overhead. Device-to-cloud connections occur over secure channels such as HTTPS and WebRTC with TLS 1.2 or 1.3. Access is protected by single sign-on and multi-factor authentication for My Axis accounts. Cloud Connect provides automated evidence gathering and real-time detection of suspicious cybersecurity events, with audit log monitoring and customizable alerts to help operators investigate or escalate based on risk level.
As part of the CISA Secure by Design pledge, Axis will publish regular updates on the security posture of its products. Customers gain the ability to verify progress, hold the company accountable and maintain confidence in Axis solutions.
