Every day, organizations across our country are impacted by cyber intrusions, many of which affect the delivery of essential services. Security professionals and business leaders alike recognize the need to protect their customers, employees, and enterprises against this threat, which raises a simple but challenging question: where to start?
We know that no organization can adopt every possible cybersecurity measure or solution, but every organization can do something. We also know that some cybersecurity measures are more effective than others in addressing the types of attacks that occur with the greatest frequency and impact. There’s no shortage of guidance, best practices, and standards, but we’ve heard from countless partners about a challenge in prioritization.
To address this gap, President Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems required Cybersecurity and Infrastructure Security Agency (CISA) to work with industry and interagency partners to develop a set of voluntary Cross-Sector Cybersecurity Performance Goals (CPGs). We first introduced the CPGs in December 2022 and updated them this March based on initial stakeholder feedback. The CPGs were developed for entities of all sizes and across all sectors and meant to enable rigorous prioritization because being secure shouldn’t mean breaking the budget. In addition, the CPGs can help organizations evaluate their current cyber posture while guiding them on how to achieve a strong cybersecurity foundation for their organization.
We believe that if every organization incorporates fundamental cybersecurity practices that they can materially reduce the risk of intrusions, no matter what sector or what size. As the nation’s Cyber Defense Agency, our goal at CISA is to make it easier for every organization to prioritize the most important cybersecurity practices. We also want to be sure they are clear, easy-to-understand, and when—implemented—lay out tangible steps organizations can take to reduce the risk of cyberattacks and the damage they can wreak.
Organized according to the Cybersecurity Framework, the CPGs reflect some of the best thinking gleaned from across the cybersecurity community and draw from extensive input from experts across sectors, public and private, domestic and international.
While the full list of goals may seem long, particularly for small organizations, they are quite achievable. For example, some straightforward and essential practices you can start implementing today are:
- Change default passwords (CPG Goal 2.A): Creating and enforcing an organization-wide policy that requires changing default manufacturer’s passwords prior to putting hardware, software, or firmware on the network can help organizations both prevent initial access by threat actors and hinder lateral movement in the event of a compromise. Many devices, such as smartphones, may prompt new users to set up a new password by default. However, many devices still do not prompt users to take this action, and it should be one of the first steps when deploying any new asset or device. Importantly, no technology product should come with a default password that isn’t reset on first use. When purchasing a product, ask your vendor about their use of default passwords!
- Implement phishing-resistant multifactor authentication (MFA) (CPG Goal 2.H): Adding a critical, additional layer of security to protect your organizations’ accounts can deny threat actors an initial foothold used to wreak havoc. CISA recommends using hardware-based tokens, such as FIDO or Public Key Infrastructure, for the greatest resistance to exploitation. App-based soft tokens are a good option as well. While better than having no additional security layer, Short Message Service (SMS) should be an organization’s last resort for implementing multifactor authentication. For more information see CISA’s fact sheet on Implementing Phishing Resistant MFA along with other information available on CISA’s More than a Password page. Similarly, to the action above, technology products should come out of the box with MFA enabled as a default, without additional cost. When selecting a technology product, remind your vendor that you expect MFA to be automatically enabled for all users.
- Separate user and privileged accounts (CPG Goal 2.E): Make it harder for threat actors to gain access or escalate privileges, even if user accounts get compromised, by ensuring no user accounts have administrator-level privileges. Be sure to frequently re-evaluate privileges on a recurring basis to validate need for certain permissions. For example, an employee on the marketing team should likely not have access to company human resources data, as it is not necessary for their daily work.
- Incident response plans (CPG Goal 2.S): Create, maintain, and exercise cybersecurity response plans, which can help an organization know what needs to be done to quickly address common threat scenarios and recover more quickly. While large organizations may have complex plans, smaller entities may start with a simple plan outlining immediate steps to take in an emergency (such as contacting a service provider for assistance) and improve on the plan over time. CISA recommends organizations practice exercising the plan by drilling realistic scenarios at least annually. Again, for large organizations these may be carefully planned tabletop exercises, but for small teams, approaches such as simple rehearsals or spoken walkthroughs can still provide value.
We offer a free CPG assessment to help organizations identify areas for maturation and develop a targeted roadmap. Consider a self-assessment or get in touch with our regional team members in your area to learn more! To learn more about the CPGs, take a look at our brief video and visit www.cisa.gov/cpg.