The Cybersecurity and Infrastructure Security Agency (CISA) works to improve the overall cybersecurity posture of the United States by providing cybersecurity guidance, sharing threat intelligence, and responding to cyber incidents. CISA also engages with private sector organizations, state and local governments, and other federal agencies to build a collaborative network for sharing cybersecurity information, best practices, and coordinated responses to cyber threats.
As part of its mission to protect and secure critical infrastructure from cyber threats, CISA provides resources and assessment tools to small, medium, and large organizations. These cybersecurity resources can help your organization develop its cybersecurity risk and control profile, regardless of the level of cybersecurity maturity and size of your organization.
What Is CISA?CISA is a U.S. government agency responsible for enhancing the cybersecurity and resilience of the nation’s critical infrastructure. CISA was established on November 16, 2018, as part of the DHS through the Cybersecurity and Infrastructure Security Agency Act of 2018.
|
Cybersecurity Resources
Speakers on cybersecurity. CISA’s cybersecurity advisors can provide stakeholders with webinars, in-person presentations/keynotes, or panel discussions on cybersecurity and resiliency for your organization or group.
Cross-Sector Cyber Performance Goals (CPG) assessment. The CPG is a voluntary self-assessment that’s intended to be a baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value. The CPG can be used as a benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
The CPG includes a combination of recommended practices for information technology (IT) and operational technology (OT) owners, including a prioritized set of security practices. The CPG is unique from other control frameworks as it considers not only practices that address risk to individual entities, but also the aggregate risk to the nation.
Cyber Security Evaluation Tool (CSET). CSET is a desktop software tool that guides organizations through a step-by-step self-evaluation for their industrial control system and IT network security practices. Users can evaluate their own cybersecurity stance using many recognized government and industry standards and recommendations, such as the voluntary CPG.
Ransomware Readiness Assessment (RRA). Ransomware poses an increasing threat and continues to rise as a top cyber threat impacting both businesses and government agencies. To understand your cybersecurity posture and assess how well your organization is equipped to defend and recover from a ransomware incident, CISA offers the RRA.
Cyber Resilience Review (CRR). The CRR is derived from the CERT Resilience Management Model, a process improvement model developed by Carnegie Mellon University’s Software Engineering Institute for managing operational resilience. The CRR is based on the premise that an organization deploys its assets (people, information, technology, and facilities) to support specific critical services or products. Based on this principle, the CRR evaluates the maturity of your organization’s capacities and capabilities in performing, planning, managing, measuring, and defining cybersecurity capabilities across 10 domains. For more information, email iodregionaloperations@cisa.dhs.gov.
External Dependency Management (EDM) assessment. The EDM assessment is conducted as a four-hour session at a location of your choosing, and your organization can use the assessment by itself or as the first step in an improvement effort. You also may use it in conjunction with CISA’s External Dependencies Management Method, which provides a rigorous, repeatable way to identify and manage specific suppliers or other external entities that your organization depends on to support its mission.
Cyber Infrastructure Survey (CIS). The goal is to assess the foundational and essential cybersecurity practices of an organization’s critical service to identify dependencies, capabilities, and emerging effects of the current cybersecurity posture. After the survey, the Department of Homeland Security (DHS) will provide an interactive dashboard for scenario planning.
Cyber Incident Response Tabletop Exercise. CISA consults and plans with a range of government and private sector stakeholders to develop and conduct preparedness exercises for a variety of resilience disciplines, including cybersecurity and physical security. For more information or to request an exercise, contact cisa.exercises@cisa.dhs.gov.
CISA Tabletop Exercise Packages (CTEPs). CTEPs are a comprehensive set of resources designed to assist stakeholders in conducting their own exercises. Partners can use CTEPs to initiate discussions within their organizations about their ability to address a variety of threat scenarios. More than 100 CTEPs are available to meet stakeholders’ specific exercise needs.
Vulnerability Scanning Service. CISA’s vulnerability scanning service continuously scans your publicly accessible IT systems for vulnerabilities and provides you with weekly reports and ad hoc alerts for newly detected vulnerabilities. Additional information about the service is available at Cyber Hygiene Services.
Web Application Scanning (WAS). WAS is “internet scanning-as-a-service” and part of CISA’s service offerings. WAS service assesses the health of your publicly accessible web applications by checking for known vulnerabilities, bugs, and weak configurations. Additionally, WAS service can recommend ways to enhance security in accordance with industry and government best practices and standards. Note: Stakeholders must be enrolled in CISA’s Vulnerability Scanning Service to be eligible for the WAS service. Contact vulnerability@cis.dhs.gov to get started.
The resources listed are current as of October 2023. Some of the resources may only be available to U.S. companies, while other information provided is obtainable for all. Additional guidance can be obtained from CISA for areas of interest. This includes any legal limitations regarding the use of these resources.
December 2023