Cross-Sector Cybersecurity Performance Goals

CISA's Cybersecurity Performance Goals (CPGs) are a subset of cybersecurity practices, selected through a thorough process of industry, government, and expert consultation, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary CPGs strive to help small- and medium-sized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes.

The CPGs are intended to be:

• A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.   
• A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.   
• A combination of recommended practices for information technology (IT) and operational technology (OT) owners, including a prioritized set of security practices.   
• Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.    

CISA's CPGS have been organized to align to the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) functions:

1. Identify: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
2. Protect: Develop and implement the appropriate safeguards to ensure delivery of services.
3. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
4. Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
5. Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that we impaired due to a cybersecurity event.

Cybersecurity Performance Goals (CPGs):

Identify (1)

Asset Inventory (1.A)

Outcome:

• Better identify known, unknown (shadow), and unmanaged assets, and more rapidly detect and respond to new vulnerabilities.

TTP or Risk Addressed:

• Hardware Additions (T1200)
• Exploit Public-Facing Application (T0819, ICS T0819)
• Internet Accessible Device (ICS T0883)

Scope:

• IT and OT assets

Recommended Action:

• Maintain a regularly updated inventory of all organizational assets with an IP address (including IPv6), including OT. This inventory is updated on a recurring basis, no less than monthly for both IT and OT.

Organizational Cybersecurity Leadership (1.B)

Outcome:

• A single leader is responsible and accountable for cybersecurity within an organization.

TTP or Risk Addressed:

• Lack of sufficient cybersecurity accountability, investment, or effectiveness.

Scope:

• N/A

Recommended Action:

• A named role/position/title is identified as responsible and accountable for planning, resourcing, and execution of cybersecurity activities. This role may undertake activities such as managing cybersecurity operations at the senior level, requesting and securing budget resources, or leading strategy development to inform future positioning.

OT Cybersecurity Leadership (1.C)

Outcome:

• A single leader is responsible and accountable for OT-specific cybersecurity within an organization with OT assets.

TTP or Risk Addressed:

• Lack of accountability, investment, or effectiveness of OT cybersecurity program.

Scope:

• N/A

Recommended Action:

• A named role/position/title is identified as responsible and accountable for planning, resourcing, and execution of OT-specific cybersecurity activities. In some organizations, this may be the same position as identified in 1.B.

Improving IT and OT Cybersecurity Relationships (1.D)

Outcome:

• Improve OT cybersecurity and more rapidly and effectively respond to OT cyber incidents.

TTP or Risk Addressed:

• Poor working relationships and a lack of mutual understanding between IT and OT cybersecurity can often result in increased risk for OT cybersecurity.

Scope:

• All IT and OT security personnel

Recommended Action:

• Organizations sponsor at least one “pizza party” or equivalent social gathering per year that is focused on strengthening working relationships between IT and OT security personnel and is not a working event (such as providing meals during an incident response).

Mitigating Known Vulnerabilities (1.E)

Outcome:

• Reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks.

TTP or Risk Addressed:

• Active Scanning - Vulnerability Scanning
  (T1595.002)
• Exploit Public-Facing Application
  (T1190, ICS T0819)
• Exploitation of Remote Service
  (T1210, ICS T0866)
• Supply Chain Compromise
  (T1195, ICS T0862)
• External Remote Services
  (T1133, ICS T0822)

Scope:

• Internet-facing assets

Recommended Action:

• All known exploited vulnerabilities (listed in CISA’s Known Exploited Vulnerabilities Catalog) in internet-facing systems are patched or otherwise mitigated within a risk-informed span of time, prioritizing more critical assets first.
• OT: For assets where patching is either not possible or may substantially compromise availability or safety, compensating controls are applied (e.g., segmentation, monitoring) and recorded. Sufficient controls either make the asset inaccessible from the public internet or reduce the ability of threat actors to exploit the vulnerabilities in these assets.

Third-Party Validation of Cybersecurity Control Effectiveness (1.F)

Outcome:

• Identify TTPs that lack proper defenses and establish confidence in organizational cyber defenses.

TTP or Risk Addressed:

• Reduce risk of gaps in cyber defenses or a false sense of security in existing protections.

Scope:

• IT and OT assets and networks

Recommended Action:

• Third parties with demonstrated expertise in (IT and/or OT) cybersecurity regularly validate the effectiveness and coverage of an organization’s cybersecurity defenses. These exercises, which may include penetration tests, bug bounties, incident simulations, or table-top exercises, should include both unannounced and announced tests.
• Exercises consider both the ability and impact of a potential adversary to infiltrate the network from the outside, as well as the ability of an adversary within the network (e.g., “assume breach”) to pivot laterally to demonstrate potential impact on critical systems, including operational technology and industrial control systems.
• High-impact findings from previous tests are mitigated in a timely manner and are not re-observed in future tests.

Supply Chain Incident Reporting (1.G)

Outcome:

• Organizations more rapidly learn about and respond to known incidents or breaches across vendors and service providers.

TTP or Risk Addressed:

• Supply Chain Compromise (T1195, ICS T0862)

Scope:

• Suppliers of IT and OT assets and services 

Recommended Action:

• Procurement documents and contracts, such as service-level agreements (SLAs), stipulate that vendors and/or service providers notify the procuring customer of security incidents within a risk-informed time frame as determined by the organization.

Supply Chain Vulnerability Disclosure (1.H)

Outcome:

• Organizations more rapidly learn about and respond to vulnerabilities in assets provided by vendors and service providers.

TTP or Risk Addressed:

• Supply Chain Compromise (T1195, ICS T0862)

Scope:

• Suppliers of IT and OT assets and services

Recommended Action:

• Procurement documents and contracts, such as SLAs, stipulate that vendors and/or service providers notify the procuring customer of confirmed security vulnerabilities in their assets within a risk-informed time frame as determined by the organization.

Vendor/Supplier Cybersecurity Requirements (1.I)

Outcome:

• Reduce risk by buying more secure products and services from more secure suppliers.

TTP or Risk Addressed:

• Supply Chain Compromise (T1195, ICS T0862)

Scope:

• Suppliers of IT and OT assets and services

Recommended Action:

• Organizations’ procurement documents include cybersecurity requirements and questions, which are evaluated in vendor selection such that, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred.

Protect (2)

Changing Default Passwords (2.A)

Outcome:

• Prevent threat actors from using default passwords to achieve initial access or move laterally in a network.

TTP or Risk Addressed:

• Valid Accounts - Default Accounts (T1078.001)
• Valid Accounts (ICS T0859)

Scope:

• Password-protected IT assets and newly acquired OT assets

Recommended Action:

• An enforced organization-wide policy and/or process that requires changing default manufacturer passwords for any/all hardware, software, and firmware before putting on any internal or external network. This includes IT assets for OT, such as OT administration web pages.
• In instances where changing default passwords is not feasible (e.g., a control system with a hard-coded password), implement and document appropriate compensating security controls, and monitor logs for network traffic and login attempts on those devices.
• OT: While changing default passwords on an organization’s existing OT requires significantly more work, we still recommend having such a policy to change default credentials for all new or future devices. This is not only easier to achieve, but also reduces potential risk in the future if adversary TTPs change.

Minimum Password Strength (2.B)

Outcome:

• Organizational passwords are harder for threat actors to guess or crack.

TTP or Risk Addressed

• Brute Force - Password Guessing (T1110.001)
• Brute Force - Password Cracking (T1110.002)
• Brute Force - Password Spraying (T1110.003)
• Brute Force - Credential Stuffing (T1110.004)

Scope:

• Password-protected IT and Windows-based OT assets

Recommended Action:

• Organizations have a system-enforced policy that requires a minimum password length of 15* or more characters for all password-protected IT assets and all OT assets, when technically feasible.** Organizations should consider leveraging passphrases and password managers to make it easier for users to maintain sufficiently long passwords. In instances where minimum password lengths are not technically feasible, compensating controls are applied and recorded, and all login attempts to those assets are logged. Assets that cannot support passwords of sufficient strength length are prioritized for upgrade or replacement.
• This goal is particularly important for organizations that lack widespread implementation of MFA and capabilities to protect against brute-force attacks (such as web application firewalls and third-party content delivery networks) or are unable to adopt passwordless authentication methods.
• * Modern attacker tools can crack eight-character passwords quickly. Length is a more impactful and important factor in password strength than complexity or frequent password rotations. Long passwords are also easier for users to create and remember.
• ** OT assets that use a central authentication mechanism (such as Active Directory) are most important to address. Examples of low-risk OT assets that may not be technically feasible include those in remote locations, such as those on offshore rigs or wind turbines.

Unique Credentials (2.C)

Outcome:

• Attackers are unable to reuse compromised credentials to move laterally across the organization, particularly between IT and OT networks.

TTP or Risk Addressed

• Valid Accounts (T1078, ICS T0859)
• Brute Force - Password Guessing (T1110.001)

Scope:

• IT and OT assets

Recommended Action

• Organizations provision unique and separate credentials for similar services and asset access on IT and OT networks. Users do not (or cannot) reuse passwords for accounts, applications, services, etc. Service accounts/machine accounts have passwords that are unique from all member user accounts.

Revoking Credentials for Departing Employees (2.D)

Outcome:

• Prevent unauthorized access to organizational accounts or resources by former employees.

TTP or Risk Addressed:

• Valid Accounts (T1078, ICS T0859)

Scope:

• Departing/Departed Employees

Recommended Action:

• A defined and enforced administrative process applied to all departing employees by the day of their departure that (1) revokes and securely returns all physical badges, key cards, tokens, etc., and (2) disables all user accounts and access to organizational resources.

Separating User and Privileged Accounts (2.E)

Outcome:

• Make it harder for threat actors to gain access to administrator or privileged accounts, even if common user accounts are compromised.

TTP or Risk Addressed:

• Valid Accounts (T1078, ICS T0859)

Scope:

• IT and OT assets, where safe and technically capable

Recommended Action:

• No user accounts always have administrator or super-user privileges. Administrators maintain separate user accounts for all actions and activities not associated with the administrator role (e.g., for business email, web browsing). Privileges are reevaluated on a recurring basis to validate continued need for a given set of permissions.

Network Segmentation (2.F)

Outcome:

• Reduce the likelihood of threat actors accessing the OT network after compromising the IT network.

TTP or Risk Addressed:

• Network Service Discovery (T1046)
• Trusted Relationship (T1199)
• Network Connection Enumeration (ICS T0840)
• Network Sniffing (T1040, ICS T0842)

Scope:

• IT and OT assets, where safe and technically capable

Recommended Action:

• All connections to the OT network are denied by default unless explicitly allowed (e.g., by IP address and port) for specific system functionality. Necessary communications paths between the IT and OT networks must pass through an intermediary, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone, which is closely monitored, captures network logs, and only allows connections from approved assets.

Detection of Unsuccessful (Automated) Login Attempts (2.G)

Outcome:

• Protect organizations from automated, credential-based attacks.

TTP or Risk Addressed:

• Brute Force - Password Guessing (T1110.001)
• Brute Force - Password Cracking (T1110.002)
• Brute Force - Password Spraying (T1110.003)
• Brute Force - Credential Stuffing (T1110.004)

Scope:

• Password-protected IT and OT assets, where safe and technically capable

Recommended Action:

• All unsuccessful logins are logged and sent to an organization’s security team or relevant logging system. Security teams are notified (e.g., by an alert) after a specific number of consecutive, unsuccessful login attempts in a short period (e.g., five failed attempts in two minutes). This alert is logged and stored in the relevant security or ticketing system for retroactive analysis.
• For IT assets, a system-enforced policy prevents future logins for the suspicious account. For example, this could be for some minimum time, or until the account is re-enabled by a privileged user. This configuration is enabled when available on an asset. For example, Windows 11 can automatically lock out accounts for 10-minutes after 10 incorrect logins over a 10-minute period.

Phishing-Resistant Multifactor Authentication (MFA) (2.H)

Outcome:

• Add a critical, additional layer of security to protect assets accounts whose credentials have been compromised.

TTP or Risk Addressed:

• Brute Force (T1110)
• Remote Services - Remote Desktop Protocol
  (T1021.001)
• Remote Services - SSH (T1021.004)
• Valid Accounts (T1078, ICS T0859)
• External Remote Services (ICS T0822)

Scope:

• IT and OT assets with remote access, such as workstations and human-machine interfaces (HMIs), where safe and technically capable

Recommended Action:

• Organizations implement MFA for access to assets using the strongest available method for that asset (see below for scope). MFA options sorted by strength, high to low, are as follows:
  1. Hardware-based, phishing-resistant MFA (e.g., FIDO/WebAuthn or public key infrastructure (PKI) based - see CISA guidance in”Resources”);
  2. If such hardware-based MFA is not available, then mobile app-based soft tokens (preferably push notification with number matching) or emerging technology such as FIDO passkeys are used;
  3. MFA via short message service (SMS) or voice only used when no other options are possible.
• IT: All IT accounts leverage MFA to access organizational resources. Prioritize accounts with highest risk, such as privileged administrative accounts for key IT systems.
• OT: Within OT environments, MFA is enabled on all accounts and systems that can be accessed remotely, including vendors/maintenance accounts, remotely accessible user and engineering workstations, and remotely accessible HMIs.

Basic Cybersecurity Training (2.I)

Outcome:

• Organizational users learn and perform more secure behaviors.

TTP or Risk Addressed:

• User Training (M1017, ICS M0917)

Scope:

• All employees and contractors

Recommended Action:

• At least annual trainings for all organizational employees and contractors that cover basic security concepts, such as phishing, business email compromise, basic operational security, password security, etc., as well as foster an internal culture of security and cyber awareness.
• New employees receive initial cybersecurity training within 10 days of onboarding and recurring training on at least an annual basis.

OT Cybersecurity Training (2.J)

Outcome:

• Personnel responsible for securing OT assets received specialized OT-focused cybersecurity training.

TTP or Risk Addressed:

• User Training (M1017, ICS M0917)

Scope:

• All personnel responsible for OT security

Recommended Action:

• In addition to basic cybersecurity training, personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training on at least an annual basis.

Strong and Agile Encryption (2.K)

Outcome:

• Effective encryption deployed to maintain confidentiality of sensitive data and integrity of IT and OT traffic.

TTP or Risk Addressed:

• Adversary-in-the-Middle (T1557)
• Automated Collection (T1119)
• Network Sniffing (T1040, ICS T0842)
• Wireless Compromise (ICS T0860)
• Wireless Sniffing (ICS T0887)

Scope:

• All IT traffic and remote OT assets (those that communicate with external entities)

Recommended Action:

• Properly configured and up-to-date secure socket layer (SSL) / transport layer security (TLS) is utilized to protect data in transit, when technically feasible. Organizations should also plan to identify any use of outdated or weak encryption, update these to sufficiently strong algorithims, and consider managing implications of post-quantum cryptography.
• OT: To minimize the impact to latency and availability, encryption is used when feasible, usually for OT communications connecting with remote/external assets.

Secure Sensitive Data (2.L)

Outcome:

• Protect sensitive information from unauthorized access.

TTP or Risk Addressed:

• Unsecured Credentials (T1552)
• Steal or Forge Kerberos Tickets (T1558)
• OS Credential Dumping (T1003)
• Data from Information Repositories (ICS T0811)
• Theft of Operational Information (T0882)

Scope:

• All passwords, credentials, secrets, and other sensitive or controlled information

Recommended Action:

• Sensitive data, including credentials, are not stored in plaintext anywhere in the organization and can only be accessed by authenticated and authorized users. Credentials are stored in a secure manner, such as with a credential/password manager or vault, or other privileged account management solution.

Email Security (2.M)

Outcome:

• Reduce risk from common email-based threats, such as spoofing, phishing, and interception.

TTP or Risk Addressed:

• Phishing (T1566)
• Business Email Compromise

Scope:

• All organizational email infrastructure

Recommended Action:

• On all corporate email infrastructure (1) STARTTLS is enabled, (2) Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are enabled, and (3) Domainbased Message Authentication, Reporting, and Conformance (DMARC) is enabled and set to “reject.” For further examples and information, see CISA’s past guidance for federal agencies.

Disable Macros by Default (2.N)

Outcome:

• Reduce the risk from embedded macros and similar executive code, a common and highly effective threat actor TTP.

TTP or Risk Addressed:

• Phishing - Spearphishing Attachment (T1566.001)
• User Execution - Malicious File (T1204.002)

Scope:

• IT assets

Recommended Action:

• A system-enforced policy that disables Microsoft Office macros, or similar embedded code, by default on all devices. If macros must be enabled in specific circumstances, there is a policy for authorized users to request that macros are enabled on specific assets.

Document Device Configurations (2.O)

Outcome:

• More efficiently and effectively manage, respond to, and recover from cyberattacks against the organization and maintain service continuity.

TTP or Risk Addressed:

• Delayed, insufficient, or incomplete ability to maintain or restore functionality of critical devices and service operations.

Scope:

• IT and OT assets

Recommended Action:

• Organizations maintain accurate documentation describing the baseline and current configuration details of all critical IT and OT assets to facilitate more effective vulnerability management and response and recovery activities. Periodic reviews and updates are performed and tracked on a recurring basis.

Document Network Topology (2.P)

Outcome:

• More efficiently and effectively respond to cyberattacks and maintain service continuity.

TTP or Risk Addressed:

• Incomplete or inaccurate understanding of network topology inhibits effective incident response and recovery.

Scope:

• All IT and OT networks

Recommended Action:

• Organizations maintain accurate documentation describing updated network topology and relevant information across all IT and OT networks. Periodic reviews and updates should be performed and tracked on a recurring basis.

Hardware and Software Approval Process (2.Q)

Outcome:

• Increase visibility into deployed technology assets and reduce the likelihood of breach by users installing unapproved hardware, firmware, or software.

TTP or Risk Addressed:

• Supply Chain Compromise (T1195, ICS T0862)
• Hardware Additions (T1200)
• Browser Extensions (T1176)
• Transient Cyber Asset (ICS T0864)

Scope:

• IT and OT assets

Recommended Action:

• Implement an administrative policy or automated process that requires approval before new hardware, firmware, or software/software version is installed or deployed. Organizations maintain a risk-informed allowlist of approved hardware, firmware, and software that includes specification of approved versions, when technically feasible. For OT assets specifically, these actions should also be aligned with defined change control and testing activities.

System Backups (2.R)

Outcome:

• Organizations reduce the likelihood and duration of data loss at loss of service delivery or operations.

TTP or Risk Addressed

• Data Destruction (T1485, ICS T0809)
• Data Encrypted for Impact (T1486)
• Disk Wipe (T1561)
• Inhibit System Recovery (T1490)
• Denial of Control (ICS T0813)
• Denial/Loss of View (ICS T0815, T0829)
• Loss of Availability (T0826)
• Loss/Manipulation of Control (T0828, T0831)

Scope:

• IT and OT assets necessary for business operations

Recommended Action:

• All systems that are necessary for operations are regularly backed up on a regular cadence (no less than once per year).
• Backups are stored separately from the source systems and tested on a recurring basis, no less than once per year. Stored information for OT assets includes at a minimum: configurations, roles, programmable controller (PLC) logic, engineering drawings, and tools.

Incident Response (IR) Plans (2.S)

Outcome:

• Organizations maintain, practice, and update cybersecurity incident response plans for relevant threat scenarios.

TTP or Risk Addressed:

• Inability to quickly and effectively contain, mitigate, and communicate about cybersecurity incidents.

Scope:

• Organization-wide

Recommended Action:

• Organizations have, maintain, update, and regularly drill IT and OT cybersecurity incident response plans for both common and organizationally-specific (e.g., by sector, locality) threat scenarios and TTPs. When conducted, tests or drills are as realistic as feasible. IR plans are drilled at least annually, and are updated within a risk-informed time frame following the lessons learned portion of any exercise or drill.

Log Collection (2.T)

Outcome:

• Achieve better visibility to detect and effectively respond to cyberattacks.

TTP or Risk Addressed:

• Delayed, insufficient, or incomplete ability to detect and respond to potential cyber incidents
• Impair Defenses (T1562)

Scope:

• IT and OT assets

Recommended Action:

• Access- and security-focused logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, virtual private network) are collected and stored for use in both detection and incident response activities (e.g., forensics). Security teams are notified when a critical log source is disabled, such as Windows Event Logging.
• OT: For OT assets where logs are non-standard or not available, network traffic and communications between those assets and other assets is collected.

Secure Log Storage (2.U)

Outcome:

• Organizations’ security logs are protected from unauthorized access and tampering.

TTP or Risk Addressed:

• Indicator Removal on Host - Clear Windows Event Logs (T1070.001)
• Indicator Removal on Host - Clear Linux or Mac System Logs (T1070.002)
• Indicator Removal on Host - File Deletion (T1070.004)
• Indicator Removal on Host (ICS T0872)

Scope:

• IT and OT assets

Recommended Action:

• Logs are stored in a central system, such as a security information and event management tool or central database, and can only be accessed or modified by authorized and authenticated users. Logs are stored for a duration informed by risk or pertinent regulatory guidelines.

Prohibit Connection of Unauthorized Devices (2.V)

Outcome:

• Prevent malicious actors from achieving initial access or data exfiltration via unauthorized portable media devices.

TTP or Risk Addressed:

• Hardware Additions (T1200)
• Replication Through Removable Media (T1091, ICS T0847)

Scope:

• IT and OT assets

Recommended Action:

• Organizations maintain policies and processes to ensure that unauthorized media and hardware are not connected to IT and OT assets, such as by limiting use of USB devices and removable media or disabling AutoRun.
• OT: When feasible, establish procedures to remove, disable, or otherwise secure physical ports to prevent the connection of unauthorized devices or establish procedures for granting access through approved exceptions.

No Exploitable Services on the Internet (2.W)

Outcome:

• Unauthorized users cannot gain an initial system foothold by exploiting known weaknesses in public-facing assets.

TTP or Risk Addressed:

• Active Scanning - Vulnerability Scanning (T1595.002)
• Exploit Public-Facing Application (T1190, ICS T0819)
• Exploitation of Remote Service (T1210, ICS T0866)
• External Remote Services (T1133, ICS T0822)
• Remote Services - Remote Desktop Protocol (T1021.001)

Scope:

• IT and OT assets on the public internet

Recommended Action:

• Assets on the public internet expose no exploitable services, such as remote desktop protocol. Where these services must be exposed, appropriate compensating controls are implemented to prevent common forms of abuse and exploitation. All unnecessary OS applications and network protocols are disabled on internet-facing assets.

Limit OT Connections to Public Internet (2.X)

Outcome:

• Reduce the risk of threat actors exploiting or interrupting OT assets connected to the public internet.

TTP or Risk Addressed:

• Active Scanning - Vulnerability Scanning (T1595.002)
• Exploit Public-Facing Application (T1190, ICS T0819)
• Exploitation of Remote Service (T1210, ICS T0866)
• External Remote Services (T1133, ICS T0822)

Scope:

• OT assets on the public internet

Recommended Action:

• No OT assets are on the public internet, unless explicitly required for operation. Exceptions must be justified and documented, and excepted assets must have additional protections in place to prevent and detect exploitation attempts (such as logging, MFA, mandatory access via proxy or other intermediary, etc.).

Detect (3)

Detecting Relevant Threats and TTPs (3.A)

Outcome:

• Organizations are aware of and able to detect relevant threats and TTPs.

TTP or Risk Addressed:

• Without the knowledge of relevant threats and ability to detect them, organizations risk that threat actors may exist undetected in their networks for long periods.

Scope:

• N/A

Recommended Action:

• Organizations document a list of threats and cyber actor TTPs relevant to their organization (e.g., based on industry, sectors), and maintain the ability (such as via rules, alerting, or commercial prevention and detection systems) to detect instances of those key threats.

Respond (4)

Incident Reporting (4.A)

Outcome:

• CISA and other organizations are better able to provide assistance or understand the broader scope of a cyberattack.

TTP or Risk Addressed:

• Without timely incident reporting, CISA and other groups are less able to assist affected organizations and lack critical insight into the broader threat landscape (such as whether a broader attack is occurring against a specific sector).

Scope:

• Organization-wide

Recommended Action:

• Organizations maintain codified policy and procedures on to whom and how to report all confirmed cybersecurity incidents to appropriate external entities (e.g., state/federal regulators or SRMA’s as required, ISAC/ISAO, as well as CISA).
• Known incidents are reported to CISA as well as other necessary parties within time frames directed by applicable regulatory guidance or in the absence of guidance, as soon as safely capable. This goal will be revisited following full implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Vulnerability Disclosure/Reporting (4.B)

Outcome:

• Organizations more rapidly learn about vulnerabilities or weaknesses in their assets discovered by security researchers; researchers are more incentivized to responsibly share their findings.

TTP or Risk Addressed:

• Active Scanning - Vulnerability Scanning (T1595.002)
• Exploit Public-Facing Application (T1190, ICS T0819)
• Exploitation of Remote Service (T1210, ICS T0866)
• Supply Chain Compromise (T1195, ICS T0862)

Scope:

• All assets

Recommended Action:

• Consistent with NIST SP 800-53 Revision 5, organizations maintain a public, easily discoverable method for security researchers to notify (e.g., via email address or web form) organizations’ security teams of vulnerable, misconfigured, or otherwise exploitable assets. Valid submissions are acknowledged and responded to in a timely manner, taking into account the completeness and complexity of the vulnerability. Validated and exploitable weaknesses are mitigated consistent with their severity.
• Security researchers sharing vulnerabilities discovered in good faith are protected under Safe Harbor rules.
• In instances where vulnerabilities are validated and disclosed, public acknowledgement is given to the researcher who originally submitted the notification.

Deploy Security.TXT Files (4.C)

Outcome:

• Allow security researchers to submit discovered weaknesses or vulnerabilities faster.

TTP or Risk Addressed:

• Active Scanning - Vulnerability Scanning (T1595.002)
• Exploit Public-Facing Application (T1190, ICS T0819)
• Exploitation of Remote Service (T1210, ICS T0866)
• Supply Chain Compromise (T1195, ICS T0862)

Scope:

• All public-facing web domains

Recommended Action:

• All public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116

Recover (5)

Incident Planning and Preparedness (5.A)

Outcome:

• Organizations are capable of safely and effectively recovering from a cybersecurity incident.

TTP or Risk Addressed:

• Disruption to availability of an asset, service, or system.

Scope:

• IT and OT assets

Recommended Action:

• Develop, maintain, and execute plans to recover and restore to service business- or mission-critical assets or systems that might be impacted by a cybersecurity incident.

CISA’s CPGs are not comprehensive. They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.      

For more information or to seek additional help, contact Central. For media inquiries, please contact CISA Media at CISAMedia@cisa.dhs.gov.