CISA Cybersecurity Performance Goals: Account Security Security Controls
Controls that protect user and service account credentials from compromise, unauthorized access, and privilege abuse.
Account Security
Multi-factor authentication is required for all user accounts
Stolen passwords are the leading cause of account compromise. MFA means that even when credentials a...
Unique credentials are used and shared accounts are eliminated
Shared accounts make it impossible to attribute actions to a specific person, prevent effective offb...
Privileged accounts are separated and access is minimized
Administrator and privileged accounts are the highest-value targets for attackers. An attacker who c...
Credentials are revoked immediately on known or suspected compromise
When credentials are confirmed or suspected to be compromised, every minute they remain active is a ...
Phishing-resistant MFA is enforced for privileged and high-value accounts
Standard MFA methods like SMS one-time codes and push notifications can be defeated by real-time phi...
Strong password policies are enforced at the identity provider, including breached-password checks
Weak passwords remain a primary attack vector. Short passwords, passwords reused from other breached...
Employee and contractor offboarding revokes all access within 24 hours
Active accounts belonging to former employees and contractors are among the easiest paths for unauth...