CISA Designed Its Cyber Guidelines to Fit All Enterprises
CISA first introduced the CPGs in December 2022 and updated them three months later based on initial stakeholder feedback. The CPGs were developed for entities of all sizes and across all sectors. They’re intended to enable rigorous prioritization, because being secure shouldn’t mean breaking the budget.
In addition, the CPGs can help organizations evaluate their current cyber posture while guiding them on how to achieve a strong cybersecurity foundation.
We believe if every organization — no matter what sector or what size — incorporates fundamental cybersecurity practices, they can materially reduce the risk of intrusions. As the nation’s cyberdefense agency, our goal at CISA is to make it easier for every organization to prioritize the most important cybersecurity practices.
We also want to be sure these practices are clear and easy to understand, and when implemented, lay out tangible steps organizations can take to reduce the risk of cyberattacks and the damage they wreak.
Organized according to the National Institute of Standards and Technology’s Cybersecurity Framework, the CPGs reflect some of the best thinking gleaned from across the cybersecurity community and draw from the extensive input of experts across sectors, public and private, domestic and international.
DISCOVER: How robust data protection better defends critical infrastructure.
Agencies Can Adapt to These Clear-Cut Guidelines
While the full list of CPGs may seem long, particularly for small organizations, the goals themselves are quite achievable. Here are some straightforward and essential practices you can start implementing today:
Change default passwords (CPG Goal 2.A): Create and enforce an organizationwide policy that requires changing default manufacturer’s passwords prior to putting hardware, software or firmware on the network. This can help organizations both prevent initial access by threat actors and hinder lateral movement in the event of a compromise. Many devices, such as smartphones, may prompt new users to set up a new password by default.
However, many devices still do not prompt users to take this action, and it should be one of the first steps when deploying any new asset or device. No technology product should come with a default password that isn’t reset on first use. When purchasing a product, ask your vendor about their use of default passwords.