Launching Actionable Cybersecurity Recommendations

The Cybersecurity and Infrastructure Security Agency (CISA) is now offering Actionable Cybersecurity Recommendations (ACRs) for State, Local, Tribal and Territorial (SLTT) governments and private industry partners. Informed by U.S. cyber intelligence, real-world events, and recognized best practices from Federal cybersecurity activities, ACRs are a curated set of recommendations for safeguarding cyber networks and Internet-facing infrastructure against persistent and emerging threats to the nation’s cyberspace. Each ACR provides background information on particular cyber threats and the vulnerabilities they exploit, as well as a ready-made set of mitigation activities that non-Federal partners can implement.  

About ACRs

ACRs are a recurring informational product designed to promote the wider adoption of cybersecurity best practices and industry-tested standards with the goal of improving risk management practices at all levels of government and industry. They are informed by a variety of sources, including CISA’s Binding Operational Directives (BODs) and Emergency Directives (EDs), which have played a role in improving the cybersecurity risk postures of Federal agencies. 

ACRs take the Federal Government’s lessons learned from countering particular cyber threats, as well as gains seen from the implementation of specific mitigation activities, and customizes that information for SLTT and private industry audiences looking to institute similar actions within their organizations.  

Who Should Use ACRs

The goal of ACRs is to help organizations improve their cyber risk management practices. To that end, CISA designed ACRs to be applicable to a broad range of entities. Although ACRs are generally intended for SLTT governments and private industry partners, other organizations such as international governments, critical infrastructure operators, and cross-industry consortiums can also find benefit from the recommendations and lessons they contain. 

What to Expect

ACRs are action-oriented and structured to provide timely information on specific, real-life cyber incidents and threats. Each ACR includes:  

• Information regarding threats the Federal Government has determined to be a high risk, and how those threats can impact an organization 

• A specific set of actions organizations can take to mitigate these risks that have also been implemented by Federal departments and agencies 

• Lessons learned, as well as implementation and resource considerations, based on the Federal Government’s experience implementing the recommended mitigation actions 

• Helpful information and implementation references 

ACRs Currently Available

ACRs are released by CISA when it determines action needs to be taken within the Federal government to deal with a particular threat or vulnerability, and that similar guidance is applicable to non-federal partners.  

ACRs currently available are listed below, with their respective link. 

• Mitigate DNS Infrastructure Tampering
• Remediate Vulnerabilities for Internet-Accessible Systems
• Secure High Value Assets (HVAs)
• Enhance Email and Web Security

How to Keep Up with the Latest ACRs

Over the course of the coming months, SLTT and private industry partners can expect a series of engagements and webinars overviewing individual ACRs. In the meantime, SLTT and private industry representatives can connect with CISA via e-mail at CyberLiaison@hq.dhs.gov for more information.