U.S. Cybersecurity and Infrastructure Security Agency (CISA), which describes itself as America’s Cyber Defense Agency, today published an updated Cybersecurity Performance Goals (CPG) Report. The CPGs are voluntary practices that businesses and critical infrastructure owners can take to protect themselves against cyber threats. Per CISA, the updated CPGs have been reorganized, reordered and renumbered to align closely with NIST CSF functions (Identify, Protect, Detect, Respond, and Recover) to help organizations more easily use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF. From day one, CPG was intended to help CPG companies implement a risk-based approach to cybersecurity that aligns with industry standards and best practices, and that can be integrated into their overall business strategy.
The CPGs include known vulnerability mitigation for Internet-facing IT assets among the top priorities in Section 1.E (“Mitigating Known Vulnerabilities“), with the goal is reduce the likelihood of threat actors exploiting known vulnerabilities to breach organizational networks. The recommended action reads as follows: “All known exploited vulnerabilities (listed in CISA’s Known Exploited Vulnerabilities Catalog) in internet-facing systems are patched or otherwise mitigated within a risk-informed span of time, prioritizing more critical assets first.” It also adds that for assets where patching is either not possible or may substantially compromise availability or safety, compensating controls are applied (e.g., segmentation, monitoring) and recorded. Sufficient controls either make the asset inaccessible from the public internet or reduce the ability of threat actors to exploit the vulnerabilities in these assets.
Action1’s cloud-native risk-based patch management service can help you identify vulnerabilities, prioritize them, and automate patching to assist you in the implementation of CISA’s CPG and many other other security frameworks, including NIST’s Cybersecurity Framework (CSF), PCI DSS, Cybersecurity Maturity Model Certification (CMMC).
Patch management is also a critical component of the Cybersecurity Maturity Model Certification (CMMC), specifically in the “Cybersecurity Hygiene” domain, which is one of the five domains in the CMMC model. The “Cybersecurity Hygiene” domain focuses on ensuring basic cybersecurity practices are implemented, including the timely application of security patches and updates to systems, software, and applications. In CMMC, organizations are required to implement a documented patch management process to identify, assess, and apply patches and updates to all relevant software and systems. Failure to maintain an effective patch management program can result in lower CMMC certification levels or the loss of certification altogether.