These Four Goals Will Guide Your Agency to Better Cybersecurity

Every day, organizations across our country are impacted by cyber intrusions, many of which affect the delivery of essential services. Security professionals and business leaders alike recognize the need to protect their customers, employees and enterprises against this threat, which raises a simple but challenging question: Where to start?

We at the Cybersecurity and Infrastructure Security Agency know that no organization can adopt every possible cybersecurity measure or solution, but every organization can do something. We also know that some cybersecurity measures are more effective than others in addressing the types of attacks that occur with the greatest frequency and impact.

There’s no shortage of guidance, best practices and standards, but we’ve heard from countless partners about a challenge in prioritization.

To address this gap, President Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems required CISA to work with industry and interagency partners to develop a set of voluntary cross-sector Cybersecurity Performance Goals.

Click the banner to get the expertise you need to strengthen your ransomware protection.

CISA Designed Its Cyber Guidelines to Fit All Enterprises

CISA first introduced the CPGs in December 2022 and updated them three months later based on initial stakeholder feedback. The CPGs were developed for entities of all sizes and across all sectors. They’re intended to enable rigorous prioritization, because being secure shouldn’t mean breaking the budget.

In addition, the CPGs can help organizations evaluate their current cyber posture while guiding them on how to achieve a strong cybersecurity foundation.

We believe if every organization — no matter what sector or what size — incorporates fundamental cybersecurity practices, they can materially reduce the risk of intrusions. As the nation’s cyberdefense agency, our goal at CISA is to make it easier for every organization to prioritize the most important cybersecurity practices.

We also want to be sure these practices are clear and easy to understand, and when implemented, lay out tangible steps organizations can take to reduce the risk of cyberattacks and the damage they wreak.

Organized according to the National Institute of Standards and Technology’s Cybersecurity Framework, the CPGs reflect some of the best thinking gleaned from across the cybersecurity community and draw from the extensive input of experts across sectors, public and private, domestic and international.

DISCOVER: How robust data protection better defends critical infrastructure.

Agencies Can Adapt to These Clear-Cut Guidelines

While the full list of CPGs may seem long, particularly for small organizations, the goals themselves are quite achievable. Here are some straightforward and essential practices you can start implementing today:

Change default passwords (CPG Goal 2.A): Create and enforce an organizationwide policy that requires changing default manufacturer’s passwords prior to putting hardware, software or firmware on the network. This can help organizations both prevent initial access by threat actors and hinder lateral movement in the event of a compromise. Many devices, such as smartphones, may prompt new users to set up a new password by default.

However, many devices still do not prompt users to take this action, and it should be one of the first steps when deploying any new asset or device. No technology product should come with a default password that isn’t reset on first use. When purchasing a product, ask your vendor about their use of default passwords.

Implement phishing-resistant multifactor authentication (CPG Goal 2.H): Adding a critical, additional layer of security to protect your organizations’ accounts can deny threat actors an initial foothold for wreaking havoc. CISA recommends using hardware-based tokens such as FIDO or public key infrastructure for the greatest resistance to exploitation. App-based soft tokens are a good option as well.

While better than nothing, using SMS (text messaging) to implement MFA should be an organization’s last resort. For more information, see CISA’s fact sheet on Implementing Phishing-Resistant MFA along with other information available on CISA’s “More than a Password” page.

New technology should have MFA enabled out of the box, as a default and without additional cost. When selecting a technology product, remind your vendor that you expect MFA to be automatically enabled for all users.

Separate user and privileged accounts (CPG Goal 2.E): Make it harder for threat actors to gain access or escalate privileges, even if user accounts become compromised, by ensuring no user accounts have administrator-level privileges.

Be sure to frequently re-evaluate privileges to validate the need for certain permissions. For example, employees on the marketing team should likely not need access to HR data, as it is not necessary for their daily work. 

READ MORE: How managed detection and response relies on automation to enhance cybersecurity.

Create incident response plans (CPG Goal 2.S): Create, maintain and practice cybersecurity response plans, which can help an organization know what needs to be done to immediately address common threat scenarios and recover more quickly.

While large organizations may have complex plans, smaller entities can start with a simple plan outlining immediate steps to take in an emergency (such as contacting a service provider for assistance) and improve on the plan over time. CISA recommends organizations practice their plans by holding drills on realistic scenarios at least annually.

Again, for large organizations, these may be carefully planned tabletop exercises, but for small teams, a simple rehearsal or spoken walkthrough is still valuable.

CISA offers CPG assessments to help organizations identify areas for maturation and develop a targeted roadmap. Consider a self-assessment or get in touch with our regional team members in your area to learn more.