Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks. Features of cybersecurity governance include:
- Accountability frameworks
- Decision-making hierarchies
- Defined risks related to business objectives
- Mitigation plans and strategies
- Oversight processes and procedures
How does CISA support Cybersecurity Governance?
CISA oversees information security policies and practices for Federal Civilian Executive Branch (FCEB) Agencies. CISA develops and oversees information security parameters, works with federal partners to bolster their cybersecurity and incident response postures, and safeguards the networks that support our nation’s essential operations.
CISA develops and oversees the implementation of “binding operational directives” and “emergency directives,” which require action on the part of certain federal agencies in the civilian Executive Branch.
The goal of the emergency directive is to help federal agencies prioritize their remediation efforts, focus on those assets that carry the highest risks, and provide guidance for mitigations where updates are still not available.
Emergency Directive 22-03
Emergency Directive 21-04
Emergency Directive 21-02
Emergency Directive 21-03
Binding Operational Directives
A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
Binding Operational Directive 23-01
Binding Operational Directive 23-01 Implementation Guidance
Binding Operational Directive 22-01
Binding Operational Directive 20-01
Binding Operational Directive 19-02
State Cybersecurity Governance Report and Case Studies
In recognition of the importance of governance in addressing cyber risks, the CISA’s Cybersecurity Division and the National Association of State Chief Information Officers (NASCIO) partnered to develop a State Cybersecurity Governance Report and series of State Cybersecurity Governance Case Studies exploring how states govern cybersecurity.
The report and case studies identify how states have used laws, policies, structures, and processes to help better govern cybersecurity as an enterprise-wide strategic issue across state governments and other public and private sector stakeholders. They explore cross-enterprise governance mechanisms used by states across a range of common cybersecurity areas and offer insight on trends and concepts useful to other states and organizations that face similar challenges.
The Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS owned Federally Funded Research and Development Center (FFRDC), developed the case studies.