Core Metrics Tips

The FY22 Core IG Metrics Tips


  1. Maintain organization amongst cloud systems, public facing websites, third-party systems, and system interconnections.


  1. Maintain an up-to-date inventory of hardware assets, use standard data elements/taxonomy. The hardware assets needed are GFE and BYOD (Bring your own device) connected to the organization’s network with information pertaining tracking and reporting.


  1. Use standard data elements/taxonomy to maintain an up-to-date inventory of software and associated licenses used within the organization with detailed information necessary for tracking and reporting.


5. Apply appropriate risk-management to the organizational, mission/business process and information system levels.


10. Use technology/automation to provide a centralized, enterprise wide (portfolio) view of cybersecurity risk management activities across the organization, including risk control and remediation activities, dependencies, risk scores/levels and management dashboards.


14. Ensure that products, system components, systems and services of external providers are consistent with the organization’s cybersecurity and supply chain requirements.


20. Utilize settings/common secure configurations for your organization’s information systems.


21. Efficiently utilize flaw remediation processes, including patch management to manage software vulnerabilities.


30. Implement strong authentication mechanisms (PIV or Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential) for non-privileged users to access the organization’s facilities [organization-defined entry/exit points], networks and systems, including for remote access.


31. Implement strong authentication mechanisms (PIV or Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential) for privileged users to access the organization’s facilities [organization-defined entry/exit points], networks and systems, including for remote access.


32. Ensure that privileged accounts are provisioned, managed and reviewed in accordance with the principles of least privilege and separation of duties. This includes processes for periodic review and adjustment of privileged user accounts and permissions, inventorying and validating the scope and number of privileged accounts, and ensuring that privileged user account activities are logged and periodically reviewed.


36. To the highest extent, implement the encryption of data rest, in transit, limitation of transference of data by removable media, and sanitation of digital media prior to disposal or reuse to protect your organization’s PII and other agency sensitive data, as appropriate throughout the data life cycle.


37. Adequately implement security controls to prevent data exfiltration and enhance network defenses.


42. Utilize an assessment of the skills, knowledge and abilities of your workforce to provide tailored awareness and specialized security training within the functional areas of: identity, protect, detect, respond, and recover.


47. Utilize information security continuous monitoring (ISCM) policies and ISCM strategy that addresses ISCM requirements and activities at each organizational tier.


49. Assess the maturity of your organization’s processes for performing ongoing information system assessments, granting system authorizations, including development and maintaining system security plans, and monitoring system security controls.


54. Assess the maturity of your organization’s processes for incident detection and analysis.


55. Assess the maturity of the organization’s processes for incident handling.


61. Ensure that the results of business impact analysis (BIA) are used to guide contingency planning efforts.


63. Perform adequate tests and exercises of your organization’s information system contingency planning processes.


To review the FY22 document questions, visit https://cisa.gov.