Cross-Sector Cybersecurity Performance Goals Part 2

This is a continuation of the CPGs Part 1 blog

Image by Pete Linforth from Pixabay

Welcome to Part 2 of our coverage of the newly released Cross-Sector Cybersecurity Performance Goals (CPGs). In Part 1 we covered Account and Device Security, now, we will cover Data Security, Organizational Cybersecurity Leadership, and Mitigating Known Vulnerabilities which are the next 3 CPGs CISA has selected.

Let’s Get Into It

3. Data Security

3.1. The first to kick us off is a topic we mention often in our blogs: Log Collection. There are a variety of methods for collecting logs within an information system.  Ensure whichever solution is in use can capture desired events such as your endpoints, IAMs, IDS/IPS, EDRs, firewalls, VPNs, etc. Logs should be retained for both system monitoring and incident management purposes. Your event log management processes are critical to the security posture of your information systems, without them, you will be insufficiently prepared to detect and respond to threats.

3.2. Now that your logs are warm and cozy, you will want to ensure that the logs are stored and retained in a centralized system, like a Security Information and Event Management (SIEM). The alerting, aggregation, and correlation of logs are not only key in system monitoring activities but are also required by various laws and regulations. Logs should be retained according to your enterprise, compliance, or regulatory retention requirements.

3.3. If you are a seasoned IT professional or cyber vet, encryption is likely something you have encountered. When configuring encryption in transit, the latest version of transport layer security (TLS) should be utilized wherever feasible. Ensure encryption protections are applied to sensitive data at a minimum. Now is also a good time to examine your environment to check for outdated or weak cryptographic algorithms and insecure ciphers. Update them as soon as possible!

3.4. Secure sensitive data! This one is straightforward as you should not be storing sensitive information in plain text. It should also only be accessed by authorized users with the need-to-know.

4. Organizational Cybersecurity Leadership

4.1. Cybersecurity accountability, investment, and effectiveness can be achieved by appointing a leader for IT Security, such as a CISO or vCISO.

4.2. Emphasize cybersecurity awareness training for all employees within your organization. This should cover basic concepts like phishing, password security, insider threats, and social engineering. New employees should also be required to complete security awareness training within a week of onboarding, and in some cases before being provisioned access to sensitive systems/data. Many organizations understand security awareness training, but let’s not forget to identify role-based training, such as system administrator training, database administrator training, secure coding training, and cloud security training just to name a few.

5. Mitigating Known Vulnerabilities

5.1. When dealing with vulnerabilities you should prioritize based on asset and vulnerability criticality. To avoid hesitation, you should review your environment and preemptively identify critical assets. Also, refer to CISA’s list of Known Exploited Vulnerabilities Catalog: Click here.

5.2. Your organization should maintain a public and easily accessible method for outside security researchers to notify your team of exploitable systems. Researchers’ primary focus is to identify threats and vulnerabilities so you will want to give them an avenue to contact you.

5.3. You should not have any operational technology, like SCADA systems, on the public internet unless explicitly required. In that case, exceptions must be justified and documented and those systems must have additional protections in places like logging, MFA, or access via proxy.

Continue onto Part 3 with this link here.

For more information speak with a QoS consultant today,, or reach out through our contact form on our website,