Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. Topics
  3. Cybersecurity Best Practices
Share:

Cybersecurity Governance

Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks. Features of cybersecurity governance include:

  • Accountability frameworks
  • Decision-making hierarchies
  • Defined risks related to business objectives
  • Mitigation plans and strategies
  • Oversight processes and procedures

How does CISA support Cybersecurity Governance?

CISA oversees information security policies and practices for Federal Civilian Executive Branch (FCEB) Agencies. CISA develops and oversees information security parameters, works with federal partners to bolster their cybersecurity and incident response postures, and safeguards the networks that support our nation’s essential operations.

Cybersecurity Directives

CISA develops and oversees the implementation of “binding operational directives” and “emergency directives,” which require action on the part of certain federal agencies in the civilian Executive Branch.

Emergency Directives

The goal of the emergency directive is to help federal agencies prioritize their remediation efforts, focus on those assets that carry the highest risks, and provide guidance for mitigations where updates are still not available.

Directives

Emergency Directive 22-03

CISA has identified vulnerabilities in VMWare products that pose an unacceptable risk to FCEB agencies and require emergency action.

Emergency Directive 21-04

A vulnerability in the Microsoft Windows Print Spooler service allows an attacker to remotely execute code with system level privileges and quickly compromise the entire identity infrastructure of a targeted organization.

Emergency Directive 21-02

Vulnerabilities in Microsoft Exchange on-premises products allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.

Emergency Directive 21-03

Exploitation of Pulse Connect Secure product vulnerabilities allows an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software.
Directives

Binding Operational Directives

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

Directives

Binding Operational Directive 23-01

FCEBs are directed to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities by focusing on asset discovery and vulnerability enumeration.

Binding Operational Directive 23-01 Implementation Guidance

The purpose of this document is to help federal agencies interpret and implement BOD 23-01.

Binding Operational Directive 22-01

This directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog.

Binding Operational Directive 20-01

This directive requires each agency to develop and publish a vulnerability disclosure policy (VDP) and maintain supporting handling procedures.

Binding Operational Directive 19-02

This directive supersedes BOD 15-01 and requires effective and timely remediation of critical and high vulnerabilities identified through Cyber Hygiene scanning.
Directives

State Cybersecurity Governance Report and Case Studies

In recognition of the importance of governance in addressing cyber risks, the CISA’s Cybersecurity Division and the National Association of State Chief Information Officers (NASCIO) partnered to develop a State Cybersecurity Governance Report and series of State Cybersecurity Governance Case Studies exploring how states govern cybersecurity.

The report and case studies identify how states have used laws, policies, structures, and processes to help better govern cybersecurity as an enterprise-wide strategic issue across state governments and other public and private sector stakeholders.  They explore cross-enterprise governance mechanisms used by states across a range of common cybersecurity areas and offer insight on trends and concepts useful to other states and organizations that face similar challenges.

The Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS owned Federally Funded Research and Development Center (FFRDC), developed the case studies.

State Cybersecurity Governance Cross Site Report

PUBLICATION
An examination of how five states have implemented enterprise-wide, strategic cybersecurity governance and use cross-enterprise mechanisms to prioritize, plan and make decisions about cybersecurity.
Download File (PDF, 5.6 MB)

Georgia Case Study

DEC 01, 2017 | PUBLICATION
A look into how Georgia’s laws, policies, structures, and processes have been built to develop cross-enterprise cybersecurity governance. This study offers insight and approaches for other states to consider when implementing their own governance processes.
Download File (PDF, 780.58 KB)

Michigan Case Study

DEC 01, 2017 | PUBLICATION
An examination into a broad range of areas involved in Michigan’s cybersecurity governance approach involving both state government and a diverse set of public and private sector stakeholders.
Download File (PDF, 956.39 KB)

New Jersey Case Study

DEC 01, 2017 | PUBLICATION
As a state that is still in the process of implementing a unified cybersecurity governance approach, this case study offers unique insight into the impact of changes made since 2015 and the plans New Jersey hopes to implement in the future.
Download File (PDF, 1.17 MB)

Washington Case Study

DEC 01, 2017 | PUBLICATION
A case study about Washington state’s efforts to build a unified cybersecurity governance approach, its collaborative efforts with private sector stakeholders, and overcoming cyber workforce shortages.
Download File (PDF, 857.04 KB)

Virginia Case Study

DEC 01, 2017 | PUBLICATION
A report about Virginia’s unique relationship with public and private sector entities and the strategies used to incorporate these perspectives into Virginia’s consolidated cybersecurity governance approach.
Download File (PDF, 1.54 MB)
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback