CISA Cybersecurity Performance Goals Security Controls
Version 2023
The CISA Cybersecurity Performance Goals (CPGs) are a prioritized subset of cybersecurity practices designed to meaningfully reduce risk for organizations of any size. Published by the US Cybersecurity and Infrastructure Security Agency, the CPGs cover the most impactful controls across account security, device security, data protection, vulnerability management, and incident response. They are designed as a starting point, not a ceiling.
37
Total controls
8
Critical priority
125h
Est. implementation
7
Trust service categories
Published by the US Cybersecurity and Infrastructure Security Agency (CISA). As a work of the US federal government, the CPGs are in the public domain. Goal descriptions and implementation guidance authored by AuditRubric.
Account Security
7 controlsControls that protect user and service account credentials from compromise, unauthorized access, and privilege abuse.
Account Security
Multi-factor authentication is required for all user accounts
Unique credentials are used and shared accounts are eliminated
Privileged accounts are separated and access is minimized
Credentials are revoked immediately on known or suspected compromise
Phishing-resistant MFA is enforced for privileged and high-value accounts
Strong password policies are enforced at the identity provider, including breached-password checks
Employee and contractor offboarding revokes all access within 24 hours
Device Security
6 controlsControls that ensure devices are inventoried, hardened, segmented, and protected against malware and unauthorized use.
Device Security
An inventory of authorized hardware and software assets is maintained
Devices are configured securely with hardened baselines
Network segmentation isolates critical systems
Endpoint detection and response (EDR) is deployed on all managed devices
Critical and high CVEs are patched within 14 days; all others within 30 days
Full-disk encryption is enforced on all endpoints and portable storage
Data Security
5 controlsControls that identify, classify, encrypt, and back up sensitive data.
Data Security
Sensitive data is inventoried and classified by type
Sensitive data at rest is encrypted using current standards
Data in transit is encrypted using modern protocols
Sensitive data is securely disposed of when no longer needed
Backups of critical data are maintained and tested
Governance and Training
4 controlsControls that establish cybersecurity policies and ensure personnel are trained to recognize and respond to threats.
Governance and Training
A cybersecurity policy is established, approved, and communicated
All employees receive security awareness training at least annually
Employees are trained to recognize and report phishing attempts
Third-party vendors are required to meet minimum security standards
Vulnerability Management
5 controlsControls that identify, prioritize, and remediate security vulnerabilities before they can be exploited.
Vulnerability Management
Vulnerability scanning is performed regularly on all systems
CISA Known Exploited Vulnerabilities are remediated on priority timelines
Critical and high vulnerabilities are remediated within defined SLAs
Internet-exposed attack surface is identified and minimized
Penetration testing or red team exercises are conducted at least annually
Supply Chain
3 controlsControls that manage cybersecurity risk introduced by third-party vendors and service providers.
Response and Recovery
7 controlsControls that ensure the organization can detect, respond to, and recover from security incidents.
Response and Recovery
An incident response plan is documented and maintained
Incident response roles and contacts are designated and current
Security incidents are reported to CISA when applicable
Security logs are collected centrally and retained for investigation
Network and system anomalies are monitored and alerted on
Incident response exercises are conducted at least annually
Recovery procedures are documented and tested