ReadySetCyber Self-Assessment

ReadySetCyber

ReadySetCyber Self-Assessment.xlsx

OMB: 1670-0051

Document [xlsx]
Download: xlsx | pdf

Overview

README
Preliminary
Demographics
IAM
Device Configuration & Security
Data Security
Governance and Training
VM
SCRM
IR


Sheet 1: README

Question Category Description
Preliminary
Questions that examine basic cyber hygiene


Identity and Access Management (IAM) Questions that examine identity and access management polices and procedures.
Device Configuration & Security Questions that examine policies and controls to manage the provisioning, security, and deployment of devices across the organization.
Security controls to maintain CIA Questions that examine controls aimed at protecting and maintaining the CIA of organizational assets and data.
Organizational Governance & Training Questions that examine governance and training practices across the organization to ensure security policies are implemented and understood.
Vulnerability Management (VM) Questions that examine an organization's VM policies and procedures.
Supply Chain Risk Management (SCRM) Questions that examine an organization's SCRM program or practices used to evaluate vendor security.
Incident Response (IR) Questions that examine an organization's IR policies and procedures.
Purpose: Questions based on the 38 Cross-Sector Cybersecurity Performance Goals (CPGs) are organized into these seven categories for organizations to complete as they navigate through the ReadySetCyber questionnaire. These questions assess fundamental cybersecurity practices that are expected to be the foundations of any information security program, and help to establish a baseline understanding of an organization's cybersecurity maturity.

Sheet 2: Preliminary

QID Questions Definitions Possible Responses CISA Resources Recommendation Description
1 Are you a small business? Small businesses are those with less than 100 employees Yes
No
[Threaded comment] Your version of Excel allows you to read this threaded comment; however, any edits to it will get removed if the file is opened in a newer version of Excel. Learn more: https://go.microsoft.com/fwlink/?linkid=870924 Comment: This would off the bat be an opportunity to link to https://www.cisa.gov/cyber-guidance-small-businesses Cyber Guidance for Small Businesses CISA has Cyber Guidance for Small Businesses, which is great place for any organization to start their cybersecurity journey.

Do you employ others than yourself? Include anyone who has access to your data or devices, paid or unpaid. Yes
No
Cyber Essentials Webinar Include anyone who has access to your data or devices, paid or unpaid.

Is your work password different from your personal password?
Yes
No
Article: Choosing and Protecting Passwords  To prevent a security incident in one of your accounts from affecting all of your accounts, it's important to use unique passwords. Check out this article to learn more.

Is your work password a strong password? Strong passwords are longer than 8 characters, a combination of numbers, letters, and characters, with at least one capital and lower case letter Yes
No
Video: Secure Our World – Keep Your Accounts Safe with Strong Passwords A great first step to securing user accounts is to learn how to choose strong passwords. Watch this short video from CISA to learn more.

Do you have multi-factor authentication enabled on your work computers and systems? Multi-Factor Authentication (MFA) is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. Yes
No
Video: Secure Our World – Make Your Accounts Safe with Multifactor Authentication (MFA) As this short video will explain, a password is not enough. CISA strongly recommends that individuals and organizations implement multi-factor authentication to keep your accounts and data safe.

Do you regularly back up your important work data?
Yes
No
CISA Publication: Data Backup Options  To ensure the availabilty of your data, it's important to make regular backups. This guidline from CISA outlines some options for how to backup your data.

What methods do you backup your data?
An external hard drive,
a USB stick or flash drive
A network-connected hard drive (such as a NAS drive)
A cloud drive
A combination of the above



Is automatic backup enabled?
Yes
No
Cyber Essentials Toolkit: Your Data Establish regular automated backups and redundancies of key systems. Employ a backup solution that automatically and continuously backs up your business-critical data and system configurations. Regular backups protect against ransomware and malware attacks. Use on-site and remote backup methods to protect vulnerable information.

Can you quickly access your backed up data?
Yes
No
Cyber Essentials Toolkit: Your Data Prioritize backups (based off of the importance of the information) and have a schedule of what to bring back online when so that your business can still function during a cyberattack. Test your backup strategy before you need to use it to make sure you have full read-back verification, a method of preventing errors when information is relayed or repeated in a different form in order to confirm its accuracy.

What type of devices do you use for work?
Laptop computer
Desktop computer
Mobile devices (phone, tablet, PDA)
A combination of the above
CISA Publication: The Risks of Portable Devices  Keep your organization safe by ensuring you have policies and procedures to prevent unauthorized devices from connecting to your network. This article outlines the risks posed by portable devices.

Which of the following security features do you have enabled? (See list provided)
Screen to auto-lock after a period of inactivity
PIN code, passcode, fingerprint, face ID (or other biometric) to access your device
Find my device (for Apple devices)
Play protect (for Android devices)
Video: Are your mobile settings leaving you vulnerable? To keep your information secure, it's important to ensure your devices have security features enabled. You should set your screen to auto-lock after a period of inactivity, and unlocking the device should require a PIN, Password, or Biometrics (such as a face ID or fingerprint).

Do you use a combination of a firewall and antivirus on your work computers? Firewall and antivirus are security features that are built into Windows and macOS, and can be found in your computer's settings. You can also choose to buy these products from a third party. Yes
No
Article: Understanding Anti-virus software Read this article to learn more about how Anti-virus software can identify and block many viruses before they can infect your computer.

Do you disable services not required for business purposes? 
Yes
No
Article: Network Security Disabling services that you aren't using is one step you can take to keep your data safe. This article about home network security explains why and provides some other simple recommendations.

Do you stay current on software updates?
Yes
No
Video: Secure Our World – Stay Safe by Updating Your Software Many software updates are created to fix security risks, so it's important to keep your software up to date. Watch this short video to learn more.

Do you download apps and software from official and/or reputable sources?

Always
Sometimes
Never
Fact Sheet: Securing the Software Supply Chain This might mean only downloading from an official app store such as Apple App Store or Google Play, or researching the brand or checking its reviews first. For more details, read the Securing the Software Supply Chain Fact Sheet.

Sheet 3: Demographics

What is your organization's name? 
Text Field
Are you a small business? A small business is a corporation, partnership, or sole proprietorship with fewer employees and typically lower average annual revenue than larger businesses in the same industry. Yes
No
Does your business employ anyone else other than you? Include anyone who has access to your data or devices, paid or unpaid. Yes
No
Critical Infrastructure Sector  Please note if your organization is part of one of the sixteen Critical Infrastructure Sectors, as defined here: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors Chemical Sector
Commercial Facilities Sector
Communications Sector
Critical Manufacturing Sector
Dams Sector
Defense Industrial Base Sector
Emergency Services Sector
Energy Sector
Financial Services Sector
Food and Agriculture Sector
Government Facilities Sector
Healthcare and Public Health Sector
Information Technology Sector
Nuclear Reactors, Materials, and Waste Sector
Transportation Systems Sector
Water and Wastewater Systems
Not part of a Critical Infrastructure Sector
Critical Infrastructure Sub Sector If applicable, please note your sub sector Text Field
Organization Website 
Text Field
Contact Name 
Text Field
Contact Email 
Text Field
Confirm Contact Email 
Text Field
Headquarters Address 
Address fields (Street or PO Box, Number, City, State, ZIP Code) 
What Cybersecurity Services are currently in use at your organization? 
Text Field
Is your organization an existing recipient of CISA cybersecurity services or recipient of CISA services in the past? 
Text Field
What is the greatest cybersecurity challenge facing your organization? 
Text Field
Would you like to take the basic questionnaire or the more in-depth assessment? The basic questionnaire covers cybersecurity best practices for users. The more advanced assessment alights to the Cross-Sector Cybersecurity Performance Goals. Basic
Advanced

Sheet 4: IAM

Questions Possible Responses Definitions Original CPG Question Original CPG Responses Associated CPGs Level CISA Resources Recommendation Description for Primary Resource Secondary Resources Recommendation Description for 2nd Resource Priority
Does your organization have security controls in place that appropriately identify, authenticate, and authorize users? (Category Question) Yes
No

N/A Implemented
In Progress
Scoped
Not Started
Category N/A Video: Strong Passwords A great first step to securing user accounts is to learn how to choose strong passwords. Watch this short video from CISA to learn more. Cyber Essentials Toolkit: Your Staff, Your Users CISA's Cyber Essentials Toolkit provides guidance on where to start when implementing cybersecurity best practices. Check out Chapter 2 to learn about cybersecurity and your people 1
Do your systems require a minimum password length of 15 characters (including OT systems, where technically feasible)? (2.B) Yes
No
Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices
that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, andphysical access control mechanisms.
Do your systems require a minimum password length of 15 characters (including OT systems, where technically feasible)?  Implemented
In Progress
Scoped
Not Started
2.B 3 Article: Choosing and Protecting Passwords Not all passwords are created equal! This article explains how to choose and protect strong passwords. John the Ripper Password Cracker This offering is a password security auditing and password recovery tool available for many operating systems. 15
Do you log all unsuccessful login attempts and provide security teams with alerts if a certain number of unsuccessful logins occur over a short period of time? (2.G) Yes
No
Logs: A record of the events occurring within an organization’s systems and networks. Do you log all unsuccessful login attempts and provide security teams with alerts if a certain number of unsuccessful logins occur over a short period of time?  Implemented
In Progress
Scoped
Not Started
2.G 3 Logging Made Easy (LME) Logging is an important part of any organization's security posture. CISA has rolled out a new service that will make logging a breeze for your organization. Click the link to learn more! Security Onion Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. 21
Do you change default passwords on all your IT and OT assets to the maximum extent possible, and implement compensating security controls wherever it is not? (2.A) Yes
No
Default Passwords: Factory default software configurations for embedded systems, devices, and appliances often include simple,
publicly documented passwords. These systems usually do not provide a full operating system interface for user management,
and the default passwords are typically identical (shared) among all systems from a vendor or within product lines. Default
passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend changing the
default password before deploying the system in a production environment.

Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic
acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange,
transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices
that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, andphysical access control mechanisms.
Do you change default passwords on all your IT and OT assets to the maximum extent possible, and implement compensating security controls wherever it is not?  Implemented
In Progress
Scoped
Not Started
2.A 4 Bad Practices  It's important to change the default passwords on all of your assets. Check out this list of other common "Bad Practices" that might be making it easier for attackers to target your organization. AllStar AllStar is a GitHub application for enforcing security policies and permissions. 24
Do you use MFA for access to all IT/OT assets, using the strongest available method possible? (2.H) Yes
No
Multi-Factor Authentication (MFA): Multifactor authentication is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login.


Organizations should implement MFA for access to assets using the strongest available method for that asset). MFA options sorted by strength, high to low, are as follows:
1. Hardware-based, phishing-resistant MFA (e.g., FIDO/WebAuthn or public key infrastructure (PKI) based - see CISA guidance in”Resources”);
2. If such hardware-based MFA is not available, then mobile app-based soft tokens (preferably push notification with number matching) or emerging technology such as FIDO passkeys are used;
3. MFA via short message service (SMS) or voice only used when no other options are possible.

Phishing-Resistant MFA: As defined in OMB Memorandum 22-09, authentication processes designed to detect and prevent
disclosure of authentication secrets and outputs to a website or application masquerading as a legitimate system.


Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic
acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange,
transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices
that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and physical access control mechanisms.
Do you use phishing-resistant MFA for critical systems?  Implemented
In Progress
Scoped
Not Started
2.H 5 Video: Make Your Accounts Safer with MFA Using Multi-Factor Authentication (or MFA) is a simple way to make your accounts much safer from criminals seeking to steal your information. Watch this video to learn more. CISA MFA Resources A password is not enough. CISA strongly recommends that individuals and organizations implement multi-factor authentication to keep your accounts and data safe. Check out CISA's MFA Resource page to learn more. 26
Do you ensure all user and administrator or super-user accounts are kept separate and privileges are re-evaluated on a recurring basis? (2.E) Yes
No

Do you ensure all user and administrator or super-user accounts are kept separate and privileges are re-evaluated on a recurring basis?  Implemented
In Progress
Scoped
Not Started
2.E 3 Article: Defend Privileges and Accounts (Not CISA) Users should only have the minimum privileges necessary to do their work. This article explains the importance of separating accounts and the principle of "least privilege." Secureworks WhiskeySAML The WhiskeySAML tool automates the remote extraction of an ADFS signing certificate. 12
Do you ensure all credentials, including those for service/machine accounts, are unique and separate across IT and OT networks? (2.C) Yes
No
Service acccount: "Non-human" (not specific to an individual user) account that is often used by an application or service to interact with the operating system


Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange,
transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices
that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and physical access control mechanisms.
Do you ensure all credentials are unique and separate?  Implemented
In Progress
Scoped
Not Started
2.C 4 Article: Choosing and Protecting Passwords Not all passwords are created equal! This article explains how to choose and protect strong passwords. O365Spray This tool is a username enumeration and password spraying tool aimed at Microsoft Office 365. 15
Do you have an enforced process that ensures all departing employees return their physical security badges, tokens, etc. and have their accesses revoked on the day of their departure? (2.D) Yes
No

Do you have an enforced process that ensures all departing employees return their physical security badges, tokens, etc. and have their accesses revoked on the day of their departure?  Implemented
In Progress
Scoped
Not Started
2.D 2 CISA Webinar: A Holistic Approach to Mitigating Insider Threats Employees who leave your organization should not have access to your organization's data. Watch this webinar to learn more about departing employees and other potential insider threats. Insider Threat Mitigation Guide This guide will explain the threat that current and former employees can pose to your organization and offer to steps to mitigate the risk. 10

Sheet 5: Device Configuration & Security

Questions Possible Responses Definitions Original CPG Questions Original Responses Associated CPGs Level CISA Resources Recommendation Description for Primary Resource Secondary Resources Recommendation Description for 2nd Resource Priority
Do you have device configuration policies and controls in place to manage the security, provisioning, and deployment of devices across the organization? (Category Question) Yes
No
Configuration: The possible conditions, parameters, and specifications with which an information system or system component can be described or arranged. N/A Implemented
In Progress
Scoped
Not Started
Category N/A Securing Network Infrastructure Devices Check out this post on CISA's blog to get started securing network devices. Cyber Essentials Toolkit: Your System CISA's Cyber Essentials Toolkit provides guidance on where to start when implementing cybersecurity best practices. Check out Chapter 3 to learn about securing your systems. 7
Do you have administrative policies or automated processes that ensure all new hardware, firmware or software must be approved before being deployed? (2.Q) Yes
No

Do you have administrative policies or automated processes that ensure all new hardware, firmware or software must be approved before being deployed?  Implemented
In Progress
Scoped
Not Started
2.Q 5 Configuration and Change Management CRR  In order to keep your environment secure, you have to know what devices you have, how they're configured, and have a defined process for any changes you need to make. Read this guide to Configuration and Change Management to get started. CIS Hardware and Software Asset Tracker This tool is designed to help identify devices and applications. The spreadsheet can be used to track hardware, software, and sensitive information. 36
Are Microsoft Office macros, or similar embedded code, disabled by default on all devices? (2.N) Yes
No
Microsoft Office Macros: A macro in Access is a tool that automates tasks and adds functionality to forms, reports, and controls.
For example, when a command button is added to a form, the button’s OnClick event is associated with the macro.
Are Microsoft Office macros, or similar embedded code, disabled by default on all devices?  Implemented
In Progress
Scoped
Not Started
2.N 2 Article: Macro Security For Microsoft Office (Not CISA) Many types of malware rely on embedded code, such as Microsoft Office macros. To keep your organization safe, these macros should be disabled by default. Read this article to learn more. How to Disable Macros This white paper from the Center for Internet Security will walk you through the process of disabling macros by default in your organization. 8
Do you maintain a regularly updated inventory of all organizational assets with an IP address, and update this on a recurring basis? (1.A) Yes
No
Inventory: The formal listing or property record of personal property assigned to an organization. Do you maintain a regularly updated inventory of all organizational assets with an IP address, and update this on a recurring basis?  Implemented
In Progress
Scoped
Not Started
1.A 5 Stuff Off Search  What do you know about your internet attack surface? To make sure you know what's accessible to attackers, check out CISA's Stuff Off Search. Google Security Command Center This tool helps users strengthen their security posture by evaluating their security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities and threats; and helping them mitigate and remediate risks. 30
Do you have policies and processes to prohibit the connection of unauthorized devices and media to IT and OT systems? (2.V) Yes
No
Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and physical access control mechanisms.
Do you have policies and processes to prohibit the connection of unauthorized devices and media to IT and OT systems?   Implemented
In Progress
Scoped
Not Started
2.V 5 Article: The Risks of Portable Devices Keep your organization safe by ensuring you have policies and procedures to prevent unauthorized devices from connecting to your network. This article outlines the risks posed by portable devices. Article: Protecting Portable Devices Read this blog from CISA to learn about how to protect your portable devices. 29
Do you maintain accurate documentation of network topology for all IT and OT networks? (2.P) Yes
No
Network topology is used to describe the physical and logical structure of a network. It maps the way different nodes on a network--including switches and routers--are placed and interconnected, as well as how data flows. 

Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and physical access control mechanisms.
Do you maintain accurate documentation of network topology for all IT and OT networks?  Implemented
In Progress
Scoped
Not Started
2.P 4 CRR Resource Guide: Asset Inventory To know what to protect, you need to know what you have. Check out this resource guide to creating an asset inventory. Video: Create a Network Diagram This video from Microsoft explains how to use Microsoft Vizio to create a network diagram 25
Do you maintain accurate documentation describing the baseline and current configuration details of all critical IT and OT assets? (2.O) Yes
No
Baseline configurations: A documented set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.

Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and physical access control mechanisms.
Do you maintain accurate documentation of baseline and current configurations of all critical IT and OT assets?  Implemented
In Progress
Scoped
Not Started
2.O 5 CRR Resource Guide: Configuration and Change Management In order to keep your environment secure, you have to know what devices you have, how they're configured, and have a defined process for any changes you need to make. Read this guide to Configuration and Change Management to get started. Microsoft Security Compliance Toolkit 1.0 This toolset allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations. 36













Sheet 6: Data Security

Original Question Possible Responses Definitions Original CPG Questions Original Reponses Associated CPGs Level CISA Resources Recommendation Description for Primary Resource Secondary Resources Recommendation Description for 2nd Resource Priority
Do you have security controls and monitoring in place to protect the Confidentiality, Integrity, and Availability (CIA) of data? (Category Question) Yes
No
The CIA triad is a widely used information security model that can guide an organization’s efforts and policies aimed at keeping its data secure. The initials stand for the three principles on which information security rests:
- Confidentiality: Only authorized users and processes should be able to access or modify data
- Integrity: Data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously
- Availability: Authorized users should be able to access data whenever they need to do so
N/A Implemented
In Progress
Scoped
Not Started
Category N/A Article: What is Cybersecurity? If you're ready to start securing your network, check out this article with some cybersecurity basics. Cyber Essentials Toolkit: Your Data CISA's Cyber Essentials Toolkit provides guidance on where to start when implementing cybersecurity best practices. Check out Chapter 5 to learn about securing your data. 2
Are logs stored in a secure, centralized system, such as a security information and event management (SIEM) tool? (2.U) Yes
No
Security information and event management (SIEM) tools: solutions which aggregate logs and allow users to create rules in order to detect, analyze, and respond to security threats.

Logs: A record of the events occurring within an organization’s systems and networks.
Are logs stored in a secure, centralized system, such as a security information and event management tool?  Implemented
In Progress
Scoped
Not Started
2.U 5 Logging Made Easy (LME) Logging is an important part of any organization's security posture. CISA has rolled out a new service that will make logging a breeze for your organization. Click the link to learn more! Video: Introduction to Investigating Logs for Incidents Watch this webinar to learn about the importance of logging and how logs can be used in incident analysis and response. 27
Do you collect and store logs for use for both detection and incident response activities? (2.T) Yes
No
Logs: A record of the events occurring within an organization’s systems and networks. Do you collect and store logs for use for both detection and incident response activities?  Implemented
In Progress
Scoped
Not Started
2.T 5 Video: Introduction to Incident Analysis and Tools Watch this webinar to learn about incident response tools. Security Onion Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. 28
Do you ensure all connections between IT and OT assets are denied by default unless explicitly allowed, and are required to pass through an intermediary system which is monitored and performs log collection? (2.F) Yes
No
Demilitarized Zone (DMZ): Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s information assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from intrusions.

Firewall: An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance) that forwards or rejects/drops packets on a network. Typically, firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.

Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and physical access control mechanisms.
Do you ensure all connections between IT and OT assets are denied by default unless explicitly allowed, and are required to pass through an intermediary system which is monitored and performs log collection?  Implemented
In Progress
Scoped
Not Started
2.F 5 Layering Network Security through Segmentation Infographic  Check out this infographic to learn more about layering network security through segmentation. Network Segmentation: Concepts and Practices Visit Carnegie Mellon University's Software Engineering Institute Blog for an article on Network Segmentation concepts. 31
Are sensitive data, including credentials, stored in a secure manner and only accessible to authenticated and authorized users? (2.L) Yes
No

Are sensitive data, including credentials, stored in a secure manner and only accessible to authenticated and authorized users?  Implemented
In Progress
Scoped
Not Started
2.L 5 Guide: Identity, Credential, and Access Management (ICAM) To make sure that you are properly managing user identities and credentials, check out this guide. BitLocker for Microsoft Windows This tool encrypts Microsoft Windows systems. 37
Do you employ properly configured and up-to-date Transport Layer Security to protect data in transit whenever feasible? (2.K) Yes
No
Transport Layer Security (TLS): An authentication and encryption protocol widely implemented in browsers and web
servers. HTTP traffic transmitted using TLS is known as HTTPS.

Encryption: Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data.
Do you employ properly configured and up-to-date Transport Layer Security to protect data in transit whenever feasible?  Implemented
In Progress
Scoped
Not Started
2.K 5 CIS Guide: Encrypt Data in Transit (Note: Not CISA) To protect data in transit, check out this Guide from the Center for Internet Security. Cloudflare Universal Secure Socket Layer Certificate SSL (Secure Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. Cloudflare allows any internet property to use SSL with the click of a button. 38
Do you implement STARTTLS, SPF and DKIM, and DMARC on all organizational email infrastructure? (2.M) Yes
No
When enabled by a receiving mail server, STARTTLS signals to a sending mail server that the capability to encrypt an email in transit is present. While it does not force the use of encryption, enabling STARTTLS makes passive man-in-the-middle attacks more difficult.

SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) allow a sending domain to effectively “watermark” their emails, making unauthorized emails (e.g., spam, phishing email) easy to detect.

When an email is received that doesn’t pass an agency’s posted SPF/DKIM rules, DMARC (Domain-based Message Authentication, Reporting & Conformance) tells a recipient what the domain owner would like done with the message.Setting a DMARC policy of “reject” provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, DMARC reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that they wouldn’t normally receive otherwise. Multiple recipients can be defined for the receipt of DMARC reports.
Do you implement STARTTLS, SPF, DKIM and DMARC on all organizational email infrastructure?  Implemented
In Progress
Scoped
Not Started
2.M 2 Insights: Enhance Email and Web Security A significant portion of attacks against organizations come via email. Download this guide to CISA's recommendations for enhancing email security to protect your organization. Perception Point Perception Point Perception Point’s Free Email Security Plan, protects organizations from any threat entering organization via email and other collaboration channels. 9
Do you maintain a regularly updated list of threats and their Tactics, Techniques, and Procedures (TTPs; for example, MITRE ATT&CK) relevant to your organization? (3.A) Yes
No
TTPs - The behavior of a threat actor. A tactic is the highest-level description of the behavior; techniques provide a more detailed description of the behavior in the context of a tactic; and procedures provide a lower-level, highly detailed description of the behavior in the context of a technique.

The MITRE ATT&CK framework is globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
Do you maintain a regularly updated list of threats and TTPs relevant to your organization?  Implemented
In Progress
Scoped
Not Started
3.A 5 CISA’s Alerts and Adversaries  CISA regularly publishes alerts and adviseries to keep organizations informed about existing and potential threats. Microsoft Defender Antivirus This tool protects and detects endpoint threats, including file-based and fileless malware. Built into Windows 10 and 11 and in versions of Windows Server. 32

Sheet 7: Governance and Training

Question Possible Responses Definitions Original CPG Questions Original Responses Associated CPGs Level CISA Resources Recommendation Description for Primary Resource Secondary Resources Recommendation Description for 2nd Resource Priority
Does your organization develop and practice information security governance across the organization and provide cybersecurity training for all employees? (Category Question) Yes
No
Security governance: a process for overseeing the cybersecurity teams who are responsible for mitigating business risks. Security governance leaders make the decisions that allow risks to be prioritized so that security efforts are focused on business priorities rather than their own.
Implemented
In Progress
Scoped
Not Started
Category N/A SAFECOM Governance Resources For guidance on the importance of establishing security governance within your organization, take a look at the resources on the SAFECOM Governance page. Cybersecurity Workforce Training Guide This Guide helps professionals develop a training plan based on their current skill level and desired career opportunities. 5
Does your organization have a named role/position/title identified as responsible and accountable for planning, resourcing, and execution of cybersecurity activities? (1.B) Yes
No

Does your organization have a named role/position/title identified as responsible and accountable for planning, resourcing, and execution of cybersecurity activities?  Implemented
In Progress
Scoped
Not Started
1.B 3 Cyber Guidance for Beginners To get started implementing a security culture at your organization, take a look at CISA's Guidance for Small Organizations. CISA Cyber Essentials Starter Kit CISA’s Cyber Essentials is a guide for leaders of small organizations to develop an actionable understanding of where to start implementing organizational cybersecurity practices. 14
Are all employees and contractors provided with basic cybersecurity training on at least an annual basis? (2.I) Yes
No

Are all employees and contractors provided with basic cybersecurity training on at least an annual basis?  Implemented
In Progress
Scoped
Not Started
2.I 3 Recognize and Report Phishing Video Did you know that CISA is on YouTube? Check out our channel for short educational videos like this one that you can use to train your employees and increase their security awareness. Phishing Guidance from CISA: Stopping the Attack Cycle at Phase One You can find plenty of documents providing basic cybersecurity guidance for your employees at cisa.gov, including this article detailing Anti-phishing guidance for your organizaiton. 11
Do you have training for OT cybersecurity? (2.J) Yes
No
Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and physical access control mechanisms. Do you have training for OT cybersecurity?  Implemented
In Progress
Scoped
Not Started
2.J 3 OT Training Sign Up  Did you know that CISA provides virtual and in-person training sessions on a variety of topics? Visit CISA's training page to learn more. Cybersecurity Workforce Training Guide This Guide helps professionals develop a training plan based on their current skill level and desired career opportunities. 20

Sheet 8: VM

Questions Possible Responses Definitions Original CPG Questions Original Responses Associated CPGs Level CISA Resources Recommendation Description for Primary Resource Secondary Resources Recommendation Description for 2nd Resource Priority
Does your organization have a process for Vulnerability Management? (Category Question) Yes
No
Vulnerability Management: the process of continuously identifying, evaluating, treating, and reporting the weaknesses in a system that could be exploited by a threat actor
Implemented
In Progress
Scoped
Not Started
Category N/A CRR Guide: Vulnerability Management To get started with Vulnerability Management, download this comprehensive guide. Video: Cloud Vulnerability Management As organizations move more and more of their IT infrastructure to the cloud, it's important to ensure that your organization has vulnerability management in place in your virtual environment. Check out this vide from the 4th Annual National Cybersecurity Summit to learn more. 6
Do you keep track of known exploited vulnerabilities (listed in CISA’s KEV Catalog) and ensure they are patched or mitigated in a timely fashion? (1.E) Yes
No
Known Exploitable Vulnerabilities (KEV) Catalog: A list of vulnerabilities that CISA has identified as being exploited, or that have been
used by threat actors.
Do you keep track of known exploited vulnerabilities (listed in CISA’s KEV Catalog) and ensure they are patched or mitigated in a timely fashion?  Implemented
In Progress
Scoped
Not Started
1.E 4 Known Exploited Vulnerabilities  CISA keeps a database on Known Exploited Vulnerabilities on our website. Check it out here. Blog: Understanding Patches and Software Updates Many software updates are created to fix security risks, so it's important to keep your software up to date, as this blog article will explain. 22
Do you maintain a public, easily discoverable method (such as a security.txt file) for security researchers to notify your security team of vulnerable, misconfigured, or otherwise exploitable assets? (4.B) Yes
No
Vulnerability Disclosure Program: Gives security researchers clear guidelines for conducting vulnerability discovery activities and conveys CISA preferences for submitting discovered vulnerabilities to an organization.

security.txt file: a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities: https://securitytxt.org/
Do you currently have a Vulnerability Disclosure Policy and/or run a bug bounty program? & Do you have a security.txt file on all public facing domains? Implemented
In Progress
Scoped
Not Started
4.B, 4.C 5 CISA VDP  Visit https://securitytxt.org/ to learn about how you can create your owen security.txt file. securitytxt.org Visit https://securitytxt.org/ to learn about how you can create your owen security.txt file. 35
Do you ensure that no exploitable services, such as Remote Desktop Protocol (RDP), are exposed on the public internet without appropriate compensating controls? (2.W) Yes
No
Remote Desktop Protocol (RDP): Microsoft proprietary protocol that enables remote connections to other computers,
typically over TCP port 3389. It provides network access for a remote user over an encrypted channel. Network
administrators use RDP to diagnose issues, login to servers, and to perform other remote actions. Remote users use RDP to
log into the organization’s network to access email and files.

Compensating Controls - The security and privacy controls implemented in lieu of the controls in the baselines described in NIST
Special Publication 800-53 that provide equivalent or comparable protection for a system or organization.
Do you ensure that no exploitable services are exposed to the Internet without appropriate compensating controls?  Implemented
In Progress
Scoped
Not Started
2.W 3 Web Application Scanning Service CISA's Cyber Hygiene Web Application Scanning is "internet scanning-as-a-service." This service assesses the "health" of your publicly accessible web applications by checking for known vulnerabilities and weak configurations. Binary Edge This tool continuously collects and correlates data from internet accessible devices, allowing organizations to see what is their attack surface and what they are exposing to attackers. 19
Do you ensure that no OT assets are on the public Internet, except where explicitly required for operation and protected by appropriate compensating controls? (2.X) Yes
No
Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices
that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/
or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and
physical access control mechanisms.

Compensating Controls - The security and privacy controls implemented in lieu of the controls in the baselines described in NIST
Special Publication 800-53 that provide equivalent or comparable protection for a system or organization.
Do you ensure that no OT assets are on the public Internet, except where explicitly required for operation and protected by appropriate compensating controls?  Implemented
In Progress
Scoped
Not Started
2.X 5 Cyber Hygiene Vulnerability Scanning Did you know that CISA offers several cyber hygiene services to help keep your organization safe? Visit the Vulnerability Scanning page today to take advantage of this free service. Web Application Scanning Service CISA's Cyber Hygiene Web Application Scanning is "internet scanning-as-a-service." This service assesses the "health" of your publicly accessible web applications by checking for known vulnerabilities and weak configurations. 19
Do third-parties with demonstrated expertise in (IT and/or OT) cybersecurity regularly validate the effectiveness and coverage of your cybersecurity defenses? (1.F) Yes
No
Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic
acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange,
transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices
that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/
or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and
physical access control mechanisms.
Do you regularly run third party tests such as penetration tests, incident simulations, tabletop exercises, etc.?  Implemented
In Progress
Scoped
Not Started
1.F 5 Remote Penetration Test Service This service tests perimeter defenses by mimicking the techniques adversaries use to gain unauthorized access to networks Stakeholder Exercises CISA offers a wide portfolio of downloadable Tabletop Exercise Packages (CTEPs) to serve as an off-the-shelf solution for a variety of stakeholders' exercise needs 33

Sheet 9: SCRM

Questions Possible Responses Definitions Original CPG Questions Original Responses Associated CPGs Level CISA Resources Recommendation Description for Primary Resource Secondary Resources Recommendation Description for 2nd Resource Priority
Do you have a Supply Chain Risk Management process, or is risk management a consideration in your Supply Chain Management process? (Category Question) Yes
No
Supply Chain Risk Management (SCRM): A systematic process for managing cyber supply chain risk exposures, threats, and vulnerabilities throughout the supply chain and developing risk response strategies to the risks presented by the supplier, the supplied products and services, or the supply chain.
Implemented
In Progress
Scoped
Not Started
Category N/A SCRM Webinar Watch this webinar to learn about the importance of Supply Chain Risk Management and get started implementing SCRM in your organization. Cyber Essentials: Supply Chain Risk Management (SCRM) CISA's Cyber Essentials Toolkit provides guidance on where to start when implementing cybersecurity best practices. Check out this chapter to learn more about SCRM. 4
Do your procurement documents and contracts require vendors and service providers to inform you of security incidents within a certain time frame? (1.G) Yes
No
Procurement Documents: the paperwork detailing the contractual relationship between a customer and a supplier of goods or services Do your procurement documents and contracts require vendors and service providers to inform you of security incidents within a certain time frame? Implemented
In Progress
Scoped
Not Started
1.G 3 Third Party Risk Management Template  Download CISA's Third Party Risk Management template, so you can start making sure your third parties don't pose unnecessary risk to your organization FedVTE course: Cyber Supply Chain Risk Management for the Public This free online course is available to the public and will explain how to get started with Supply Chain Risk Management 17
Do your procurement documents and contracts require vendors and service providers to inform you of security vulnerabilities within a certain time frame? (1.H) Yes
No
Procurement Documents: the paperwork detailing the contractual relationship between a customer and a supplier of goods or services Do your procurement documents and contracts require vendors and service providers to inform you of security vulnerabilities within a certain time frame? Implemented
In Progress
Scoped
Not Started
1.H 3 A Resource Guide for developing a Resilient Supply Chain Risk Management Plan The ICT SCRM Task Force’s resource guide was created to provide a valuable starting point for you to develop and tailor an ICT SCRM plan that meets the needs of your organization. Securing Small and Medium-Sized Business (SMB) Supply Chains: A Resource Handbook This handbook provides an overview of the highest supply chain risk categories commonly faced by ICT small and medium-sized businesses (SMBs). 17
Do your procurements documents outline cybersecurity requirements and questions that are used to evaluate vendors such that, given two roughly equivalent options based on cost and functionality, the more secure option is preferred? (1.I) Yes
No
Procurement Documents: the paperwork detailing the contractual relationship between a customer and a supplier of goods or services o your procurement practices include cybersecurity requirements so that, given two roughly equivalent options based on cost and functionality, the more secure option is preferred? Implemented
In Progress
Scoped
Not Started
1.I 3 Video: Evaluating Vendor and Supplier Trustworthiness When choosing a vendor, it's important to keep security in mind. Watch this video to learn how to evaluate a vendor's trustworthiness. OpenSSF: Scorecards Security Scorecards is a collection of security health metrics for open source, allowing users to evaluate the security practices of an open source package before use. 12

Sheet 10: IR

Questions Possible Responses Definitions Original CPG Questions Original Responses Associated CPGs Level CISA Resources Recommendation Description for Primary Resource Secondary Resources Recommendation Description for 2nd Resource Priority
Do you have an Incident Response and Recovery plan? (Category Question) Yes
No
Incident Response Plan: A set of predetermined and documented procedures to detect and respond to a cyber incident.
Implemented
In Progress
Scoped
Not Started
Category N/A Incident Response Plan Basics  When incidents happen, your organization will recover faster if you already have a plan in place. Download this article to get started. Planning Considerations for Cyber Incidents: Guidance for Emergency Managers This guide provides recommendations on how to plan for and respond to cyber incidents. 3
Do you have up-to-date plans to recover and restore assets in case of a cybersecurity incident? (5.A) Yes
No

Do you have up-to-date plans to recover and restore assets in case of a cybersecurity incident?  Implemented
In Progress
Scoped
Not Started
5.A 3 Incident Response Webinar To get started making an Incident Response plan, check out CISA's free on-demand webinar "Incident Response and Awareness Training" CRR Supplemental Resource Guide, Volume 5: Incident Management - Appendix A: Template The The Cyber Resilience Review Resource Guide for Incident Management has an Incident Reponse Plan Template that you can use to start drafting an IRP for your organization. 16
Do you have up-to-date cybersecurity incident plans for both IT and OT, and are these Incident Response plans drilled at least annually? (2.S) Yes
No
Information Technology (IT): Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

Operational Technology (OT): Programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include ICSs, building management systems, fire control systems, and physical access control mechanisms.
Do you have up-to-date and regularly exercised cybersecurity incident response plans for both IT and OT?  Implemented
In Progress
Scoped
Not Started
2.S 3 Tabletop Exercise Packages  CISA offers a wide portfolio of downloadable Tabletop Exercise Packages (CTEPs) to serve as an off-the-shelf solution for a variety of stakeholders' exercise needs Cybersecurity Tabletop Exercise Tips Check out this fact sheet for some tips on creating and running your own tabletop exercises. 18
Do you have codified policies and procedures that specify to whom and how to report all confirmed cybersecurity incidents to the appropriate external authorities, within time frames directed by applicable regulatory guidance? (4.A) Yes
No

Do you know where you can report incidents to CISA securely?  Implemented
In Progress
Scoped
Not Started
4.A 3 CISA's Incident Reporting System Save this link - The CISA Incident Reporting System provides a secure web-enabled means of reporting computer security incidents to CISA. Federal Incident Notification Guidelines This document provides guidance on incident reporting requirements. 13
Do you back up all business critical systems at a regular cadence, no less than once per year, and are these backups stored separately from the source systems? (2.R) Yes
No

Do you back up all systems necessary for operations at a regular cadence, no less than once per year?  Implemented
In Progress
Scoped
Not Started
2.R 5 Data Backup Options  To ensure the availabilty of your data, it's important to make regular backups. CISA has some backup options detailed here. Windows Auto Backup This tool sets up automatic backups of Windows 10 and 11 operating systems. 34
File Typeapplication/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File Modified0000-00-00
File Created0000-00-00

© 2024 OMB.report | Privacy Policy