Cross-Sector Cybersecurity Performance Goals Part 3

Congrats and thank you! You have made it to our final piece of coverage for the newly released CPGs

Image by Mark Thomas from Pixabay  

I think you have gotten the hang of things by now but first I wanted to give a quick summary of the previous two blogs:

Part 1: Account and Device Security: Ensure only authorized personnel and devices have access to your environment.

Part 2: Data Security, Organizational Cybersecurity Leadership, and Mitigating Known Vulnerabilities: Different tools and software you should use to identify and protect sensitive data, as well as organizational processes to put in place.

Part 3 of our coverage will look at Vendor/Supplier Cybersecurity Requirements and other honorable mentions.

6. Vendor/Supplier Cybersecurity Requirements

6.1. Selecting a more secure product or service may not always be the least expensive option!  During the vendor onboarding process, you should request security documentation from them and review it to ensure it works with your organization’s policies.

6.2. Outline in your Service Level Agreement (SLA) how communication with your vendors is handled if an incident occurs. This should include a list of names from your vendor and a defined, risk-informed timeframe.

7. Incident Reporting (IR) Plans

7.1. Your organization should maintain, test, and update your IR plans. Testing your IR plan could come in the form of tabletop exercises or in-person/online training (see our blog on that topic linked here). If you do not have a formally documented IR plan, feel free to contact us today with the contact information at the bottom of this blog.

7.2. All systems you use that are necessary for operation should be regularly backed up on a defined, documented cadence. This will reduce the risk of lost data and services.

7.3. Map out your network! Also known as Network Topology, you should have mapped out all physical and logical structures of your network including nodes, switches, and routers. This also includes data flow diagrams.  All of this is crucial in reducing the time it takes for you to recover effectively from an attack.

8. Honorable Mentions

8.1. For connections to your systems, use deny all, permit by exception rules to explicitly allow only authorized personnel. IP ranges and port numbers could also be used for configuring your connections. CISA also emphasizes network segmentation in this section, we touched on that topic in detail in our Supervisory Control and Data Acquisition (SCADA) blog, read that here.

8.2. When it comes to threats, different sectors have different risks. Therefore, your organization should investigate the most common forms of attacks specific to your industry and DOCUMENT THEM! Your IT team should be aware of and able to detect relevant threats.

8.3. Email is one of the most popular tools used by hackers because it’s fast and easy. So here are a few technical tips to reduce the risk of spoofing, phishing, and interception: On all corporate email infrastructure (1) Enable STARTTLS, (2) Enable SPF and DKIM, and (3) Enable DMARC and set it to “reject.” For further examples and information, see CISA’s past guidance for Federal Agencies at binding-operational-directive-18-01

Thank you for reading through our coverage of CISA’s CPGs, we hope you found them informative and actionable. And as always feel free to reach out to us with questions with the contact information below!

For more information speak with a QoS consultant today,, or reach out through our contact form on our website,