CISA CPG Interactive Checklist
Cross-Sector Cybersecurity Performance Goals v1.0.1
Official Source: CISA CPG Checklist v1.0.1 (PDF)
Built by Klavan Security - Your Mission Ready SOC 2 Partner
Your progress is automatically saved in your browser
Built by Klavan Security - Your Mission Ready SOC 2 Partner
Your progress is automatically saved in your browser
0
Completed
36
Total Goals
Great Start! You're 25% Complete
You've identified some gaps. Want expert help prioritizing what to tackle next?
Get Free Gap AnalysisHalfway There! 50% Complete
You're making solid progress. Let's accelerate and get you SOC 2 ready.
Fast-Track My ComplianceAlmost Done! 75% Complete
You're in the home stretch. We can help you finish strong and maintain compliance.
Complete Your Security Posture
IDENTIFY (9 Goals)
1.A
Asset Inventory
Maintain a regularly updated inventory of all organizational assets with an IP address (including IPv6), including OT. This inventory is updated on a recurring basis, no less than monthly for both IT and OT.
1.B
Organizational Cybersecurity Leadership
A named role/position/title is identified as responsible and accountable for planning, resourcing, and execution of cybersecurity activities. This role may undertake activities such as managing cybersecurity operations at the senior level, requesting and securing budget resources, or leading strategy development.
1.C
OT Cybersecurity Leadership
A named role/position/title is identified as responsible and accountable for planning, resourcing, and execution of OT-specific cybersecurity activities. In some organizations this may be the same position as identified in 1.B.
1.D
Improving IT and OT Cybersecurity Relationships
Organizations sponsor at least one "pizza party" or equivalent social gathering per year that is focused on strengthening working relationships between IT and OT security personnel, and is not a working event.
1.E
Mitigating Known Vulnerabilities
All known exploited vulnerabilities (listed in CISA's KEV Catalog) in internet-facing systems are patched or otherwise mitigated within a risk-informed span of time, prioritizing more critical assets first. For OT assets where patching is not possible, compensating controls are applied.
1.F
Third-Party Validation of Cybersecurity Control Effectiveness
Third parties with demonstrated expertise should regularly validate the effectiveness and coverage of cybersecurity defenses. These exercises may include penetration tests, bug bounties, incident simulations, or table-top exercises.
1.G
Supply Chain Incident Reporting
Procurement documents and contracts stipulate that vendors and/or service providers notify the procuring customer of security incidents within a risk-informed time frame.
1.H
Supply Chain Vulnerability Disclosure
Procurement documents and contracts stipulate that vendors and/or service providers notify the procuring customer of confirmed security vulnerabilities in their assets within a risk-informed time frame.
1.I
Vendor/Supplier Cybersecurity Requirements
Organizations' procurement documents include cybersecurity requirements and questions, which are evaluated in vendor selection such that the more secure offering and/or supplier is preferred.
PROTECT (24 Goals)
2.A
Changing Default Passwords
An enforced organization-wide policy requires changing default manufacturer passwords for any/all hardware, software, and firmware before putting on any internal or external network. This includes IT assets for OT.
2.B
Minimum Password Strength
Organizations have a system-enforced policy that requires a minimum password length of 15+ characters for all password-protected IT assets, and all OT assets where technically feasible. Consider leveraging passphrases and password managers.
2.C
Unique Credentials
Organizations provision unique and separate credentials for similar services and asset access on IT and OT networks. Users do not (or cannot) reuse passwords for accounts, applications, services, etc.
2.D
Revoking Credentials for Departing Employees
A defined and enforced administrative process applied to all departing employees by the day of their departure that (1) revokes and securely returns all physical badges, key cards, tokens, etc., and (2) disables all user accounts and access.
2.E
Separating User and Privileged Accounts
No user accounts always have administrator or super-user privileges. Administrators maintain separate user accounts for all actions and activities not associated with the administrator role (e.g., for business email, web browsing).
2.F
Network Segmentation
All connections to the OT network are denied by default unless explicitly allowed. Necessary communications paths between IT and OT networks must pass through an intermediary (firewall, bastion host, "jump box," or DMZ) which is closely monitored.
2.G
Detection of Unsuccessful (Automated) Login Attempts
All unsuccessful logins are logged and sent to security team. Security teams are notified after a specific number of consecutive, unsuccessful login attempts in a short period. System-enforced policy prevents future logins for the suspicious account.
2.H
Phishing-Resistant Multi-Factor Authentication (MFA)
Organizations implement MFA using the strongest available method. Prioritize: (1) Hardware-based phishing-resistant MFA (FIDO/WebAuthn or PKI), (2) Mobile app-based soft tokens or FIDO passkeys, (3) SMS/voice only when no other options exist. All IT accounts leverage MFA; OT implements MFA for remote access.
2.I
Basic Cybersecurity Training
At least annual trainings for all organizational employees and contractors that cover basic security concepts such as phishing, business email compromise, basic OPSEC, password security, etc. New employees receive initial training within 10 days of onboarding.
2.J
OT Cybersecurity Training
In addition to basic cybersecurity training, personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training on at least an annual basis.
2.K
Strong and Agile Encryption
Properly configured and up-to-date transport layer security (TLS) is utilized to protect data in transit, when technically feasible. Organizations should plan to identify any use of outdated or weak encryption and update to sufficiently strong algorithms.
2.L
Secure Sensitive Data
Sensitive data, including credentials, are not stored in plaintext anywhere in the organization and can only be accessed by authenticated and authorized users. Credentials are stored in a secure manner, such as with a credential/password manager or vault.
2.M
Email Security
On all corporate email infrastructure: (1) STARTTLS is enabled, (2) SPF and DKIM are enabled, and (3) DMARC is enabled and set to "reject."
2.N
Disable Macros by Default
A system-enforced policy that disables Microsoft Office macros, or similar embedded code, by default on all devices. If macros must be enabled in specific circumstances, there is a policy for authorized users to request that macros are enabled on specific assets.
2.O
Document Device Configurations
Organizations maintain accurate documentation describing the baseline and current configuration details of all critical IT and OT assets to facilitate more effective vulnerability management and response and recovery activities. Periodic reviews and updates are performed.
2.P
Document Network Topology
Organizations maintain accurate documentation describing updated network topology and relevant information across all IT and OT networks. Periodic reviews and updates should be performed and tracked on a recurring basis.
2.Q
Hardware and Software Approval Process
Implement an administrative policy or automated process that requires approval before new hardware, firmware, or software/software version is installed or deployed. Organizations maintain a risk-informed allowlist of approved hardware, firmware, and software.
2.R
System Backups
All systems that are necessary for operations are backed up on a regular cadence, no less than once per year. Backups are stored separately from the source systems and tested on a recurring basis, no less than once per year.
2.S
Incident Response (IR) Plans
Organizations have, maintain, update, and regularly drill IT and OT cybersecurity incident response plans for both common and organization-specific threat scenarios. IR plans are drilled at least annually and updated following lessons learned.
2.T
Log Collection
Access- and security-focused (e.g., IDS/IDPS, firewall, DLP, VPN) logs are collected and stored for use in detection and incident response activities. Security teams are notified when a critical log source is disabled. For OT assets, network traffic and communications to/from logless assets is collected.
2.U
Secure Log Storage
Logs are stored in a central system, such as a SIEM tool or central database, and can only be accessed or modified by authorized and authenticated users. Logs are stored for a duration informed by risk or pertinent regulatory guidelines.
2.V
Prohibit Connection of Unauthorized Devices
Organizations maintain policies and processes to ensure that unauthorized media and hardware are not connected to IT and OT assets, such as by limiting use of USB devices and removable media or disabling AutoRun. For OT, establish procedures to remove, disable, or secure physical ports.
2.W
No Exploitable Services on the Internet
Assets on the public internet expose no exploitable services, such as RDP. Where these services must be exposed, appropriate compensating controls are implemented. All unnecessary OS applications and network protocols are disabled on internet-facing assets.
2.X
Limit OT Connections to Public Internet
No OT assets are on the public internet, unless explicitly required for operation. Exceptions must be justified and documented, and excepted assets must have additional protections in place (e.g., logging, MFA, mandatory access via proxy).
DETECT (1 Goal)
3.A
Detecting Relevant Threats and TTPs
Organizations have documented a list of threats and cyber threat actor TTPs relevant to their organization (for example, based on industry, sectors, etc.), and have the ability (such as via rules, alerting, or commercial prevention and detection systems) to detect instances of those key threats.
RESPOND (3 Goals)
4.A
Incident Reporting
Organizations maintain codified policy and procedures on to whom and how to report all confirmed cybersecurity incidents to appropriate external entities (e.g., state/federal regulators, ISACs, ISAOs, and CISA). Known incidents are reported to CISA within time frames directed by applicable regulatory guidance.
4.B
Vulnerability Disclosure/Reporting
Organizations maintain a public, easily discoverable method for security researchers to notify organizations' security teams of vulnerable, misconfigured, or otherwise exploitable assets. Valid submissions are acknowledged and responded to in a timely manner. Security researchers sharing vulnerabilities discovered in good faith are protected under Safe Harbor rules.
4.C
Deploy Security.txt Files
All public-facing web domains have a security.txt file that conforms to the recommendations in RFC 9116. This provides a standardized way for security researchers to report vulnerabilities.
RECOVER (1 Goal)
5.A
Incident Planning and Preparedness
Develop, maintain, and execute plans to recover and restore to service business or mission-critical assets or systems that might be impacted by a cybersecurity incident. Test recovery plans regularly to ensure they are effective.