The Cybersecurity & Infrastructure Security Agency (CISA) is tasked with helping organizations within the United States stay more secure. Since its establishment in 2018, the federal organization has stood out among its peers in the bureaucracy as being proactive in public-private outreach and working to simplify complexity. This is refreshing, considering there are organizational leaders across the country, working in every sector, who are struggling with the demands of increasing cyberthreats and attack vectors as well as more complex digital environments.

To help leaders in all organizations meet the amplifying challenges of digital security, CISA, in October released its “Cross-Sector Cybersecurity Performance Goals (CPGs).” [PDF] These are meant to be simple priorities for driving down risk.

The CPGs do not represent federal mandates, nor or they meant to represent a full or comprehensive risk management or cybersecurity program. They are however designed to work across a wide swath of industries and sizes. They are meant to help organizations adopt fundamental security protections, assist small and medium sized businesses with essential data security, and help lead to standards and cyber maturity across industry.

The CPGs are broken up into eight areas with each area containing three to seven goals that organizations can strive for. The rest of this article will be an attempt to break these down so that you can understand them and decide that, if you are not implementing these within your organization, you may want to.

Account Security  

  • Keeping user accounts secure involves detecting unsuccessful access attempts and making sure IT staff is alerted when these attempts occur. This will help against password cracking or brute force password guessing attempts.
  • Changing the default factory password on all hardware and firmware, especially that which is connected to the internet, is important because default factory passwords are publicly available and can easily be broken into.
  • It is important to mandate strong passwords and use multifactor authentication where available. Ensure users are not reusing passwords. Sometimes the fundamentals are the most important thing.
  • The network should be segmented so that users only have access to the information they need to complete their jobs.
  • Finally, you should have a policy in place to revoke credentials immediately for all applicable accounts when a user leaves the organization or is terminated.

Device Security  

  • IT should approve all hardware, software, or firmware that is installed on the network.
  • There should be a policy in place that they must approve and implement updates to new versions of software and hardware as well.
  • Macros should be disabled by default on all devices. Macros are a particular problem with Microsoft Office software, specifically Excel.
  • IT or leadership should maintain an inventory of all assets the organization possesses. This list should be updated frequently.
  • Organizations should implement a policy to limit or ban removable storage media, such as USB devices that can either upload malware to a device or steal data from the device.
  • All critical technology assets should be documented with their configuration details to help with vulnerability management and response and recovery activities. This will help speed the time to recovery during a physical or cyber incident.

Data Security  

  • Audit logging should be enabled and monitored. IT should be alerted to any anomalous behavior.
  • These logs should be stored in a central system, such as a Security Information and Event Management (SIEM) tool and access should be controlled and monitored.
  • Strong encryption should be utilized throughout the organization to maintain the confidentiality of sensitive data.
  • Sensitive data should be secured, never stored in plaintext and access should be tightly controlled to only those who need access to the data to complete their jobs. Credentials should also be secured with a password manager or vault.

Governance and Training

  • A single individual should oversee organizational cybersecurity and should be given a voice at the senior level.
  • An individual as well should be tasked with overseeing operational technology (OT), such as industrial control systems and physical access control mechanisms. These two tasks may fall under the purview of one senior leader. Think of it as having a Chief Information Security Officer and a Chief Security Officer.
  • The organization must hold cybersecurity awareness training for all employees at least annually.
  • Those who maintain operational technology should attend specific training on OT at least annually as well.
  • Any silos between IT security and OT security should be torn down. There should be communication between the two areas or departments. Silos are rarely good…except maybe to hold grain.

Vulnerability Management

  • IT should prioritize patching known exploited vulnerabilities with undue haste. More severe vulnerabilities and more critical assets should be prioritized during this process.
  • Organizations, where applicable, should maintain a public disclosure method (such as a portal) where security researchers can report discovered vulnerabilities in organizational systems.
  • Exploitable services (such as remote desktop protocol) should have no exposure to the public internet and OT connections should not be exposed to the public internet unless specifically required for operation. If this is the case, additional methods to protect they control should be implemented.
  • Organizations should implement third party validation of cybersecurity controls, including penetration tests, vulnerability tests, and incident response tabletop exercises.

Supply Chain / Third Party

  • When considering a third party vendor, organizations must consider cybersecurity as a top priority. This includes building cybersecurity requirements into the vendor selection process.
  • Service Level Agreements (SLAs) should include a stipulation that the vendor must notify the organization if they have suffered a cybersecurity incident or discovered a security vulnerability in their assets within a reasonable timeframe.

Response & Recovery

  • Organizations should develop and document a policy for reporting cybersecurity incidents to appropriate authorities and these should meet all regulatory requirements.
  • An incident response (IR) plan must be in place and drilled at least annually, including tabletop exercises.
  • Regular backups should be in place for all critical operational systems and backups should take place, at minimum, annually.
  • Technology blueprints should be created that show network topology and relevant information across the network. These blueprints should be reviewed and updated periodically.

Other

  • The network should be properly segmented with a firewall which is closely monitored for unapproved traffic. Connections to OT should be denied by default, unless explicitly allowed for system functionality.
  • Relevant threats and adversary tools, techniques, and procedures (TTPs) should be documented, and the organization should have a method for detecting those instances.
  • Rules should be put in place for email security including enabling STARTTLS, SPF, and DKIM. DMARC, as well, should be enabled and set to “reject.”

The CPGs from CISA should be used as a fundamental guide for improving your organization’s cybersecurity. As a leader, it would be wise to print off CISA’s CPG document, understand which of the CPGs your organization is currently implementing and which you are not. Then work with your IT or security team to prioritize which of the CPGs you should work to implement and in what timeframe. Take the recommendations from CISA and make a checklist and then plan for checking off the boxes. The more CPGs you can enact within your organization, the safer your organization will be.

Download the CISA CPG Document