CISA CPG Checklist v1.0

Here it is a handy version in the form of a Word document that relates to the security controls outlined within CISA CPG Checklist v1.0 Official Guideline.

November 5, 2022

Introduction

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS).

It is responsible for making sure that cybersecurity is improved across the board and that all levels of government are working together to do so. It also makes sure that the government's cybersecurity protections against private and nation-state hackers are getting better.

CHECKLIST

1. Account Security

1.1 Detection of Unsuccessful (Automated) Login Attempts - PR.AC-7

1.2 Changing Default Passwords PR.AC-1

1.3 Multi-Factor Authentication (MFA) PR.AC-7

1.4 Minimum Password Strength PR.AC-1

1.5 Separating User and Privileged Accounts PR.AC-4

1.6 Unique Credentials PR.AC-1

1.7 Revoking Credentials for Departing Employees PR.AC-1

2. Device Security

2.1 Hardware and Software Approval Process PR.IP-3

2.2 Disable Macros by Default PR.IP-1, PR.IP-3

2.3 Asset Inventory ID.AM-1

2.4 Prohibit Connection of Unauthorized Devices PR.PT-2

2.5 Document Device Configurations PR.IP-1

3. Data Security

3.1 Log Collection PR.PT-1

3.2 Secure Log Storage PR.PT-1

3.3 Strong and Agile Encryption PR.DS-1, PR.DS-2

3.4 Secure Sensitive Data PR.DS-1, PR.DS-2, PR.DS-5

4. GOVERNANCE AND TRAINING

4.1 Organizational Cybersecurity Leadership ID.GV-1, ID.GV-2

4.2 OT Cybersecurity Leadership ID.GV1, ID.GV-2

4.3 Basic Cybersecurity Training PR.AT-1

4.4 OT Cybersecurity Training PR.AT-2, PR.AT-3, PR.AT-5

4.5 Improving IT and OT Cybersecurity Relationships ID.GV-2

5. vulnerability management

5.1 Mitigating Known Vulnerabilities PR.IP-12, ID.RA-1, DE.CM-8, RS.MI-3

5.2 Vulnerability Disclosure/Reporting RS.AN-5

5.3 Deploy Security.txt Files RS.AN-5

5.4 No Exploitable Services on the Internet PR.PT-4

5.5 Limit OT Connections to Public Internet PR.PT-4

5.6 Third-Party Validation of Cybersecurity Control Effectiveness ID.RA-1, ID.RA-3

6. SUPPLY CHAIN / THIRD PARTY

6.1 Vendor/Supplier Cybersecurity Requirements ID.SC-3

6.2 Supply Chain Incident Reporting ID.SC-1, ID.SC-3

6.3 Supply Chain Vulnerability Disclosure ID.SC-1, ID.SC-3

7. response and recovery

7.1 Incident Reporting RS.CO-2, RS.CO-4

7.2 Incident Response (IR) Plans PR.IP-9, PR.IP-10

7.3 System Back Ups PR.IP-4

7.4 Document Network Topology PR.IP-1

6.3 Supply Chain Vulnerability Disclosure ID.SC-1, ID.SC-3

8. Other

8.1 Network Segmentation PR.AC-5, PR.PT-4, DE.CM-1

8.2 Detecting Relevant Threats and TTPs ID.RA-3, DE.CM-1

8.3 Email Security PR.DS-1, PR.DS-2, PR.DS-5

download

CISA CPG CHECKLIST 508c as a Microsoft Word File

Aknowledgements | References | Resources

- CISA CPG CHECKLIST 508c PDF

- CISA PUBLICATIONS SECTION

Be the adversary - attack first

PUT US TO THE TEST ->