Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk

In October 2022, CISA released the Cybersecurity Performance Goals to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk.
Earlier this summer, CISA outlined four CPGs that organizations could implement as first steps towards better cybersecurity.
While we continue to urge every organization to incorporate these fundamental cybersecurity practices, we are encouraged to see and share a few positive trends we've identified since they were released.
In line with our Cybersecurity Strategic Plan and our focus on measuring risk reduction, CISA is measuring national progress in adoption of CPGs and associated progress in addressing key risks.
Recently, CISA identified positive trends on two CPGs across nearly 3,500 organizations enrolled in our Vulnerability Scanning service before April 1, 2022.
Of note, these CPGs are particularly important in reducing the likelihood of damaging intrusions across for IT and OT networks.
Since the release of CISA CPGs, the organizations enrolled in CISA's vulnerability scanning service consistently decreased the average number of known exploited vulnerabilities on their networks - the reduction average was almost 20-percent.
Figure 1: With publication of the CPGs, organizations enrolled in vulnerability scanning continued to demonstrate reductions in KEVs on their networks.
For organizations enrolled in our vulnerability scanning service, CISA looked for trends in public-facing assets with exploitable services on the internet before CPGs and after CPGs were published.
Figure 2: Organizations enrolled in vulnerability scanning demonstrated continued incremental progress in removing exploitable internet services since the CPGs were published.
Organizations enrolled in CISA's vulnerability scanning continued to show progress with a reduction or maintained an average number of KEVs exposed per entity and gradual reductions in the percentage of entities exposing exploitable internet services.
CISA anticipates continued progress toward CPG implementation and risk reduction among organizations enrolled in vulnerability scanning.
Figure 3: Organizations enrolled in vulnerability scanning since the Shields Up initiative started, publication of CPGs, and CPG update and start of Ransomware Vulnerability Warning Pilot.
From April 1, 2022, to June 30, 2023, enrollment in CISA's vulnerability scanning service increased nearly 69% - more than 5,900 participating organizations.
On average, newly enrolled organizations decreased their vulnerability exposure by 20-percent within the first three months of vulnerability scanning.
When an organization uses the CPGs, CISA and our partners can help them understand the specific things they need to do to effectively reduce the specific risks they have identified.
Our regional cybersecurity advisors are a valuable resource that can help organizations with assessing their cybersecurity and implementing CPGs. What You Can Do. Since the CPGs were released, we've taken steps to encourage adoption, from the Ransomware Vulnerability Warning Pilot and the Shields Up campaign to our CPG Assessments.
These are intended to achieve a simple goal: to encourage adoption of CPGs and reduce the prevalence and impact of cyber intrusions affecting American organizations.
Organizations should consider enrolling in our vulnerability scanning service and conducting a CPG Assessment, a module within our Cyber Security Evaluation Tool.
Operational data presented in this blog reflect trends identified across organizations enrolled in CISA's vulnerability scanning service consistent with our commitment to measure and drive risk reduction across our partners.


This Cyber News was published on www.cisa.gov. Publication date: Tue, 05 Dec 2023 18:43:05 +0000


Cyber News related to Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk

Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk - In October 2022, CISA released the Cybersecurity Performance Goals to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk. Earlier this summer, CISA outlined ...
10 months ago Cisa.gov
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Strategy, Harmony & Research: Triaging Priorities for OT Cybersecurity - The mission of the Cybersecurity and Infrastructure Security Agency is to lead the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. CISA is not responsible ...
10 months ago Darkreading.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
1 week ago Cyberdefensemagazine.com
Cyber Insights 2023: Cyberinsurance - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. In 2022, Russia invaded Ukraine with the potential for more serious and more ...
1 year ago Securityweek.com
Key elements for a successful cyber risk management strategy - In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution. Nathaniel ...
8 months ago Helpnetsecurity.com
Master Security by Building on Compliance with A Risk-Centric Approach - In recent years, a confluence of circumstances has led to a sharp rise in IT risk for many organizations. That's why a proactive approach to seeing, understanding, and acting on risk is key to improving the effectiveness of defenses in place to meet ...
9 months ago Cyberdefensemagazine.com
ProcessUnity Introduces Industry's All-In-One Third-Party Risk Management Platform - PRESS RELEASE. BOSTON-(BUSINESS WIRE)- ProcessUnity, provider of comprehensive end-to-end third-party risk management and cybersecurity solutions to leading enterprises, today announced the completed integration of the Global Risk Exchange. The newly ...
8 months ago Darkreading.com
Fighting ransomware: A guide to getting the right cybersecurity insurance - While the cybersecurity risk insurance market has been around for more than 20 years, the rapidly changing nature of attacks and the rise in the ransomware epidemic has markedly changed the nature of cyber insurance in recent years. It's more ...
8 months ago Scmagazine.com
Optimizing Cybersecurity: How Hackers Use Golang Source Code Interpreter to Evade Detection - Hackers have been upping the stakes when it comes to executing cyberattacks, and an increasingly popular tool in their arsenal is the Golang source code interpreter. Reportedly, the interpreter is used to obfuscate code, thus making it harder for ...
1 year ago Bleepingcomputer.com
Meet Your New Cybersecurity Auditor: Your Insurer - As businesses deal with the fallout of massive ransomware waves, from Lapsus$ to Cl0p/MOVEit, an unlikely new entity is joining the regulatory bodies to raise the bar for cybersecurity: the cyber insurer. Their coverage requirements and ...
10 months ago Darkreading.com
Three Things to Know About the New SEC Rules on Sharing Information and Breach Disclosure Deadlines - Recently, the Securities and Exchange Commission adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents ...
8 months ago Cyberdefensemagazine.com
5 Ways to Counteract Increasing Cyber Insurance Rates - Despite this threat, only 55% of organizations have some form of cyber insurance, and only 19% have coverage for cyber events beyond $600,000. As the cybersecurity landscape continues to evolve, businesses must carefully evaluate their risk exposure ...
7 months ago Cybersecurity-insiders.com
What is the NIST Cybersecurity Framework? Definition from SearchSecurity - The NIST Cybersecurity Framework provides guidance on how to manage and reduce IT infrastructure security risk. NIST created the CSF to help private sector organizations in the United States develop a roadmap for critical infrastructure ...
8 months ago Techtarget.com
CVE-2023-3440 - Incorrect Default Permissions vulnerability in Hitachi JP1/Performance Management on Windows allows File Manipulation.This issue affects JP1/Performance Management - Manager: from 09-00 before 12-50-07; JP1/Performance Management - Base: from 09-00 ...
11 months ago
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
8 months ago Techtarget.com
Cybersecurity Training for Business Leaders - This article explores the significance of cybersecurity training for business leaders and its crucial role in establishing a secure and resilient business environment. By examining the key components of effective training programs and the ...
8 months ago Securityzap.com
Critical Start Implements Cyber Risk Assessments With Peer Benchmarking and Prioritization Engine - PRESS RELEASE. PLANO, Texas, Jan. 11, 2024 /PRNewswire/ - Today, Critical Start, a leading provider of Managed Detection and Response cybersecurity solutions and pioneer of Managed Cyber Risk Reduction, announced general availability of Critical ...
8 months ago Darkreading.com
Does Pentesting Actually Save You Money On Cyber Insurance Premiums? - Way back in the cyber dark ages of the early 1990s as many households were buying their first candy-colored Macintoshes and using them to play Oregon Trail and visit AOL chat rooms, many businesses started venturing into the digital realm as well by ...
9 months ago Securityboulevard.com
Strengthening Resilience: Navigating the Cybersecurity Landscape - Over the last four years, businesses have faced significant challenges characterized by increased frequency and severity of cyber threats. In a recent global survey of 3,000 decision-makers, Aon identified cyberattacks or data breaches as the No. 1 ...
9 months ago Darkreading.com
Cyber Security Managed Services 101 - Benefits of an MSP. Maximizing efficiency. Cyber threats and cyberattacks like ransomware targeting SMBs continue to increase in part because malicious actors realize these organizations don't have the means or manpower for security teams. Even ...
1 year ago Trendmicro.com
Cyber Insurance: A Smart Investment to Protect Your Business from Cyber Threats in 2023 - Don't wait until it's too late - get cyber insurance today and secure your business for tomorrow. According to the U.S. Federal Trade Commission, cyber insurance is a particular type of insurance that helps businesses mitigate financial losses ...
7 months ago Cyberdefensemagazine.com
Fortinet Contributes to World Economic Forum's Strategic Cybersecurity Talent Framework - Shining a light on the cybersecurity workforce challenge, the World Economic Forum recently published its Strategic Cybersecurity Talent Framework, which is intended to serve as a reference for public and private decision-makers concerned by the ...
4 months ago Feeds.fortinet.com
The Cyber Risk Nightmare and Financial Risk Disaster of Using Personal Messaging Apps in The Workplace - This practice, which is unfortunately still widespread in an environment of relentless cyberattacks, is fraught with major cyber and financial risk. Unsecure messaging apps are a gateway for cybercriminals to access, expose and exploit an ...
8 months ago Cyberdefensemagazine.com
Cyber Insurance for Businesses: Navigating Coverage - To mitigate these risks, many businesses opt for cyber insurance. With the wide range of policies available, navigating the world of cyber insurance can be overwhelming. In this article, we will delve into the complexities of cyber insurance and ...
8 months ago Securityzap.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)