Cybersecurity Governance
Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks. Features of cybersecurity governance include:
- Accountability frameworks
- Decision-making hierarchies
- Defined risks related to business objectives
- Mitigation plans and strategies
- Oversight processes and procedures
How does CISA support Cybersecurity Governance?
CISA oversees information security policies and practices for Federal Civilian Executive Branch (FCEB) Agencies. CISA develops and oversees information security parameters, works with federal partners to bolster their cybersecurity and incident response postures, and safeguards the networks that support our nation’s essential operations.
Cybersecurity Directives
CISA develops and oversees the implementation of “binding operational directives” and “emergency directives,” which require action on the part of certain federal agencies in the civilian Executive Branch.
Emergency Directives
The goal of the emergency directive is to help federal agencies prioritize their remediation efforts, focus on those assets that carry the highest risks, and provide guidance for mitigations where updates are still not available.
ED 22-03: Mitigate VMware Vulnerabilities
ED 21-04: Mitigate Windows Print Spooler Service Vulnerability
ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
ED 21-03: Mitigate Pulse Connect Secure Product Vulnerabilities
Binding Operational Directives
A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.
BOD 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks
BOD 23-01: Implementation Guidance for Improving Asset Visibility and Vulnerability Detection on Federal Networks
BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities
BOD 20-01: Develop and Publish a Vulnerability Disclosure Policy
BOD 19-02: Vulnerability Remediation Requirements for Internet-Accessible Systems
State Cybersecurity Governance Report and Case Studies
In recognition of the importance of governance in addressing cyber risks, the CISA’s Cybersecurity Division and the National Association of State Chief Information Officers (NASCIO) partnered to develop a State Cybersecurity Governance Report and series of State Cybersecurity Governance Case Studies exploring how states govern cybersecurity.
The report and case studies identify how states have used laws, policies, structures, and processes to help better govern cybersecurity as an enterprise-wide strategic issue across state governments and other public and private sector stakeholders. They explore cross-enterprise governance mechanisms used by states across a range of common cybersecurity areas and offer insight on trends and concepts useful to other states and organizations that face similar challenges.
The Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS owned Federally Funded Research and Development Center (FFRDC), developed the case studies.