Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. Topics
  3. Cybersecurity Best Practices
  4. Cybersecurity Governance
Share:

Cybersecurity Governance

Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks. Features of cybersecurity governance include:

  • Accountability frameworks
  • Decision-making hierarchies
  • Defined risks related to business objectives
  • Mitigation plans and strategies
  • Oversight processes and procedures

How does CISA support Cybersecurity Governance?

CISA oversees information security policies and practices for Federal Civilian Executive Branch (FCEB) Agencies. CISA develops and oversees information security parameters, works with federal partners to bolster their cybersecurity and incident response postures, and safeguards the networks that support our nation’s essential operations.

Cybersecurity Directives

CISA develops and oversees the implementation of “binding operational directives” and “emergency directives,” which require action on the part of certain federal agencies in the civilian Executive Branch.

Emergency Directives

The goal of the emergency directive is to help federal agencies prioritize their remediation efforts, focus on those assets that carry the highest risks, and provide guidance for mitigations where updates are still not available.

Directives

ED 22-03: Mitigate VMware Vulnerabilities

CISA has identified vulnerabilities in VMWare products that pose an unacceptable risk to FCEB agencies and require emergency action.

ED 21-04: Mitigate Windows Print Spooler Service Vulnerability

A vulnerability in the Microsoft Windows Print Spooler service allows an attacker to remotely execute code with system level privileges and quickly compromise the entire identity infrastructure of a targeted organization.

ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities

Vulnerabilities in Microsoft Exchange on-premises products allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.

ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities

Exploitation of Pulse Connect Secure product vulnerabilities allows an attacker to place webshells on the appliance to gain persistent system access into the appliance operating the vulnerable software.
Directives

Binding Operational Directives

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

Directives

BOD 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks

FCEBs are directed to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities by focusing on asset discovery and vulnerability enumeration.

BOD 23-01: Implementation Guidance for Improving Asset Visibility and Vulnerability Detection on Federal Networks

The purpose of this document is to help federal agencies interpret and implement BOD 23-01.

BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities

This directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog.

BOD 20-01: Develop and Publish a Vulnerability Disclosure Policy

This directive requires each agency to develop and publish a vulnerability disclosure policy (VDP) and maintain supporting handling procedures.

BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems

This directive supersedes BOD 15-01 and requires effective and timely remediation of critical and high vulnerabilities identified through Cyber Hygiene scanning.
Directives

State Cybersecurity Governance Report and Case Studies

In recognition of the importance of governance in addressing cyber risks, the CISA’s Cybersecurity Division and the National Association of State Chief Information Officers (NASCIO) partnered to develop a State Cybersecurity Governance Report and series of State Cybersecurity Governance Case Studies exploring how states govern cybersecurity.

The report and case studies identify how states have used laws, policies, structures, and processes to help better govern cybersecurity as an enterprise-wide strategic issue across state governments and other public and private sector stakeholders.  They explore cross-enterprise governance mechanisms used by states across a range of common cybersecurity areas and offer insight on trends and concepts useful to other states and organizations that face similar challenges.

The Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS owned Federally Funded Research and Development Center (FFRDC), developed the case studies.

State Cybersecurity Governance Cross Site Report

PUBLICATION
An examination of how five states have implemented enterprise-wide, strategic cybersecurity governance and use cross-enterprise mechanisms to prioritize, plan and make decisions about cybersecurity.
Download File (PDF, 5.6 MB)

Georgia Case Study

DEC 01, 2017 | PUBLICATION
A look into how Georgia’s laws, policies, structures, and processes have been built to develop cross-enterprise cybersecurity governance. This study offers insight and approaches for other states to consider when implementing their own governance processes.
Download File (PDF, 780.58 KB)

Michigan Case Study

DEC 01, 2017 | PUBLICATION
An examination into a broad range of areas involved in Michigan’s cybersecurity governance approach involving both state government and a diverse set of public and private sector stakeholders.
Download File (PDF, 956.39 KB)

New Jersey Case Study

DEC 01, 2017 | PUBLICATION
As a state that is still in the process of implementing a unified cybersecurity governance approach, this case study offers unique insight into the impact of changes made since 2015 and the plans New Jersey hopes to implement in the future.
Download File (PDF, 1.17 MB)

Washington Case Study

DEC 01, 2017 | PUBLICATION
A case study about Washington state’s efforts to build a unified cybersecurity governance approach, its collaborative efforts with private sector stakeholders, and overcoming cyber workforce shortages.
Download File (PDF, 857.04 KB)

Virginia Case Study

DEC 01, 2017 | PUBLICATION
A report about Virginia’s unique relationship with public and private sector entities and the strategies used to incorporate these perspectives into Virginia’s consolidated cybersecurity governance approach.
Download File (PDF, 1.54 MB)
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback