SOC 2 to CISA Cybersecurity Performance Goals Mapping

Capacity is managed to ensure system availability

Relevant security information is obtained and used

Security controls are evaluated on an ongoing basis

Control deficiencies are identified, evaluated, and communicated

Anomalies and security events are detected and monitored

Security logs are collected centrally and retained for investigation

Network and system anomalies are monitored and alerted on

Detected security incidents are evaluated and classified

Security incidents are responded to and contained

Incidents are recovered from and resumption of operations is documented

Credentials are revoked immediately on known or suspected compromise

An incident response plan is documented and maintained

Incident response roles and contacts are designated and current

Incident response exercises are conducted at least annually

Commitment to integrity and ethical values is demonstrated

Board or equivalent body oversees security risk

Organizational structure and authority for security is defined

Controls are deployed through policies and procedures

A cybersecurity policy is established, approved, and communicated

Security information is communicated internally

Control activities are selected and developed to mitigate risks

Controls are deployed through policies and procedures

A cybersecurity policy is established, approved, and communicated

An incident response plan is documented and maintained

Recovery procedures restore system availability after disruptions

Incidents are recovered from and resumption of operations is documented

Backups of critical data are maintained and tested

Recovery procedures are documented and tested

Confidential information is identified and protected

Sensitive data is protected during transmission and storage

Data in transit is encrypted using modern protocols

Full-disk encryption is enforced on all endpoints and portable storage

Third-party vendor risk is assessed and managed

Third-party vendors are required to meet minimum security standards

Third-party software and services are inventoried and assessed for risk

Vendor contracts include minimum cybersecurity requirements

Recovery procedures restore system availability after disruptions

Backups of critical data are maintained and tested

Recovery procedures are documented and tested

Commitment to competence in security is demonstrated

Security information is communicated internally

Employees are trained to recognize and report phishing attempts

Relevant security information is obtained and used

Anomalies and security events are detected and monitored

Security logs are collected centrally and retained for investigation

Control deficiencies are identified, evaluated, and communicated

Vulnerability scanning is performed regularly on all systems

Critical and high vulnerabilities are remediated within defined SLAs

Logical access security measures restrict access to assets

Multi-factor authentication is required for all user accounts

Phishing-resistant MFA is enforced for privileged and high-value accounts

Logical access security measures restrict access to assets

Multi-factor authentication is required for all user accounts

Strong password policies are enforced at the identity provider, including breached-password checks

Logical access security measures restrict access to assets

Role-based access is used and reviewed periodically

Privileged accounts are separated and access is minimized

Sensitive data is protected during transmission and storage

Sensitive data at rest is encrypted using current standards

Full-disk encryption is enforced on all endpoints and portable storage

Vulnerability management identifies and remediates security flaws

Critical and high CVEs are patched within 14 days; all others within 30 days

Critical and high vulnerabilities are remediated within defined SLAs

Vulnerability management identifies and remediates security flaws

Critical and high CVEs are patched within 14 days; all others within 30 days

CISA Known Exploited Vulnerabilities are remediated on priority timelines

Anomalies and security events are detected and monitored

Security logs are collected centrally and retained for investigation

Network and system anomalies are monitored and alerted on

Third-party vendor risk is assessed and managed

Third-party vendors are required to meet minimum security standards

Third-party software and services are inventoried and assessed for risk

Confidential information is identified and protected

Sensitive data is inventoried and classified by type

Confidential information is identified and protected

Sensitive data is inventoried and classified by type

Confidential information is disposed of securely

Sensitive data is securely disposed of when no longer needed

Confidential information is disposed of securely

Sensitive data is securely disposed of when no longer needed

Commitment to integrity and ethical values is demonstrated

A cybersecurity policy is established, approved, and communicated

Organizational structure and authority for security is defined

Incident response roles and contacts are designated and current

Commitment to competence in security is demonstrated

All employees receive security awareness training at least annually

Security information is communicated to external parties

Security incidents are reported to CISA when applicable

Security risks are identified and analyzed

Vulnerability scanning is performed regularly on all systems

Fraud risk is identified and assessed

Employee and contractor offboarding revokes all access within 24 hours

General controls over technology are selected and developed

Critical and high vulnerabilities are remediated within defined SLAs

General controls over technology are selected and developed

Devices are configured securely with hardened baselines

Access is removed or modified when no longer required

Employee and contractor offboarding revokes all access within 24 hours

Logical access security measures protect against external threats

Network segmentation isolates critical systems

Sensitive data is protected during transmission and storage

Data in transit is encrypted using modern protocols

Controls protect against malicious software

Endpoint detection and response (EDR) is deployed on all managed devices

Controls protect against malicious software

Endpoint detection and response (EDR) is deployed on all managed devices

Controls protect against malicious software

Endpoint detection and response (EDR) is deployed on all managed devices

Vulnerability management identifies and remediates security flaws

Critical and high CVEs are patched within 14 days; all others within 30 days

Anomalies and security events are detected and monitored

Network and system anomalies are monitored and alerted on

Security incidents are responded to and contained

Incident response exercises are conducted at least annually

Third-party vendor risk is assessed and managed

Third-party software and services are inventoried and assessed for risk