Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks. Features of cybersecurity governance include:
- Accountability frameworks
- Decision-making hierarchies
- Defined risks related to business objectives
- Mitigation plans and strategies
- Oversight processes and procedures
How does CISA support Cybersecurity Governance?
CISA oversees information security policies and practices for Federal Civilian Executive Branch (FCEB) Agencies. CISA develops and oversees information security parameters, works with federal partners to bolster their cybersecurity and incident response postures, and safeguards the networks that support our nation’s essential operations.
Cybersecurity Directives
CISA develops and oversees the implementation of “binding operational directives” and “emergency directives,” which require action on the part of certain federal agencies in the civilian Executive Branch.
Emergency Directives
The goal of the emergency directive is to help federal agencies prioritize their remediation efforts, focus on those assets that carry the highest risks, and provide guidance for mitigations where updates are still not available.
ED 22-03: Mitigate VMware Vulnerabilities
CISA has identified vulnerabilities in VMWare products that pose an unacceptable risk to FCEB agencies and require emergency action.
ED 21-04: Mitigate Windows Print Spooler Service Vulnerability
A vulnerability in the Microsoft Windows Print Spooler service allows an attacker to remotely execute code with system level privileges and quickly compromise the entire identity infrastructure of a targeted organization.
ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
Vulnerabilities in Microsoft Exchange on-premises products allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.
ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities
Exploitation of Pulse Connect Secure product vulnerabilities allows an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software.
Binding Operational Directives
A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
BOD 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks
FCEBs are directed to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities by focusing on asset discovery and vulnerability enumeration.
BOD 23-01: Implementation Guidance for Improving Asset Visibility and Vulnerability Detection on Federal Networks
The purpose of this document is to help federal agencies interpret and implement BOD 23-01.
BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities
This directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog.
BOD 20-01: Develop and Publish a Vulnerability Disclosure Policy
This directive requires each agency to develop and publish a vulnerability disclosure policy (VDP) and maintain supporting handling procedures.
BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems
This directive supersedes BOD 15-01 and requires effective and timely remediation of critical and high vulnerabilities identified through Cyber Hygiene scanning.
State Cybersecurity Governance Report and Case Studies
In recognition of the importance of governance in addressing cyber risks, the CISA’s Cybersecurity Division and the National Association of State Chief Information Officers (NASCIO) partnered to develop a State Cybersecurity Governance Report and series of State Cybersecurity Governance Case Studies exploring how states govern cybersecurity.
The report and case studies identify how states have used laws, policies, structures, and processes to help better govern cybersecurity as an enterprise-wide strategic issue across state governments and other public and private sector stakeholders. They explore cross-enterprise governance mechanisms used by states across a range of common cybersecurity areas and offer insight on trends and concepts useful to other states and organizations that face similar challenges.
The Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS owned Federally Funded Research and Development Center (FFRDC), developed the case studies.
State Cybersecurity Governance Cross Site Report
PUBLICATION
An examination of how five states have implemented enterprise-wide, strategic cybersecurity governance and use cross-enterprise mechanisms to prioritize, plan and make decisions about cybersecurity.
Georgia Case Study
DEC 01, 2017
| PUBLICATION
A look into how Georgia’s laws, policies, structures, and processes have been built to develop cross-enterprise cybersecurity governance. This study offers insight and approaches for other states to consider when implementing their own governance processes.
Michigan Case Study
DEC 01, 2017
| PUBLICATION
An examination into a broad range of areas involved in Michigan’s cybersecurity governance approach involving both state government and a diverse set of public and private sector stakeholders.
New Jersey Case Study
DEC 01, 2017
| PUBLICATION
As a state that is still in the process of implementing a unified cybersecurity governance approach, this case study offers unique insight into the impact of changes made since 2015 and the plans New Jersey hopes to implement in the future.
Washington Case Study
DEC 01, 2017
| PUBLICATION
A case study about Washington state’s efforts to build a unified cybersecurity governance approach, its collaborative efforts with private sector stakeholders, and overcoming cyber workforce shortages.
Virginia Case Study
DEC 01, 2017
| PUBLICATION
A report about Virginia’s unique relationship with public and private sector entities and the strategies used to incorporate these perspectives into Virginia’s consolidated cybersecurity governance approach.