Information Technology (IT) Sector-Specific Goals (SSGs)

<!DOCTYPE html> <html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#" class="no-js"> <head> <meta charset="utf-8" /> <link rel="canonical" href="https://www.cisa.gov/resources-tools/resources/information-technology-it-sector-specific-goals-ssgs" /> <meta property="og:site_name" content="Cybersecurity and Infrastructure Security Agency CISA" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.cisa.gov/resources-tools/resources/information-technology-it-sector-specific-goals-ssgs" /> <meta property="og:title" content="Information Technology (IT) Sector-Specific Goals (SSGs) | CISA" /> <meta name="Generator" content="Drupal 10 (https://www.drupal.org)" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="icon" href="/profiles/cisad8_gov/themes/custom/gesso/favicon.png" type="image/png" /> <title>Information Technology (IT) Sector-Specific Goals (SSGs) | CISA</title> <link rel="stylesheet" media="all" href="/core/misc/components/progress.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/misc/components/ajax-progress.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/align.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/fieldgroup.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/container-inline.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/clearfix.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/details.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/hidden.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/item-list.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/js.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/nowrap.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/position-container.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/reset-appearance.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/resize.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-counter.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-counters.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-general-info.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/system/css/components/tablesort.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/core/modules/views/css/views.module.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/modules/contrib/better_social_sharing_buttons/css/better_social_sharing_buttons.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/modules/contrib/ckeditor_accordion/css/accordion.frontend.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/modules/contrib/extlink/css/extlink.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/modules/contrib/paragraphs/css/paragraphs.unpublished.css?ssb1i8" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/modules/custom/toolbar_tasks/css/toolbar.css?ssb1i8" /> <link rel="stylesheet" media="all" href="//fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700&family=Public+Sans:wght@400;500;600;700&display=swap" /> <link rel="stylesheet" media="all" href="/profiles/cisad8_gov/themes/custom/gesso/dist/css/styles.css?ssb1i8" /> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"","currentPath":"node\/22784","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"gtag":{"tagId":"","consentMode":false,"otherIds":[],"events":[],"additionalConfigInfo":[]},"ajaxPageState":{"libraries":"eJxdju1uwzAIRV_IjR_JwoY6XoiJAPfj7Wd1TaftzxXnCNDN5E6aTEoDTraCtl5THu7SLZo_eXIoG2Fz0QSliGKTHj_TclXpTh0DPXxubxF1HMDLG0MVqUzJocY64z8v8AWPv3IPddgdLWYlwKJjz6epLBn4JCWToYVOdgIjDQcoVIVjtbPLr1lGP0bmZithsKc57THPq-AinEFnBdvmpx8Kw66EVW7pXRA68NNbscgCePngpWAPt0Z3i69cdsHB9A1FcIoo","theme":"guswds","theme_token":null},"ajaxTrustedUrl":[],"gtm":{"tagId":null,"settings":{"data_layer":"dataLayer","include_classes":false,"allowlist_classes":"","blocklist_classes":"","include_environment":false,"environment_id":"","environment_token":""},"tagIds":["GTM-53QLXSL9"]},"data":{"extlink":{"extTarget":false,"extTargetAppendNewWindowLabel":"(opens in a new window)","extTargetNoOverride":false,"extNofollow":false,"extTitleNoOverride":false,"extNoreferrer":false,"extFollowNoOverride":false,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.\\.gov$)|(.\\.mil$)|(.\\.mil\/)|(.\\.gov\/)","extInclude":"","extCssExclude":".c-menu--social,.c-menu--footer,.c-social-links,.c-text-cta--button,.usa-footer__contact-info","extCssInclude":"","extCssExplicit":"","extAlert":true,"extAlertText":"You are now leaving an official website of the United State Government (USG), the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Links to non-USG, non-DHS and non-CISA sites are provided for the visitor\u0027s convenience and do not represent an endorsement by USG, DHS or CISA of any commercial or private issues, products or services. Note that the privacy policy of the linked site may differ from that of USG, DHS and CISA.","extHideIcons":false,"mailtoClass":"mailto","telClass":"","mailtoLabel":"(link sends email)","telLabel":"(link is a phone number)","extUseFontAwesome":false,"extIconPlacement":"append","extPreventOrphan":false,"extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","extAdditionalLinkClasses":"","extAdditionalMailtoClasses":"","extAdditionalTelClasses":"","extFaTelClasses":"fa fa-phone","whitelistedDomains":[],"extExcludeNoreferrer":""}},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0,"animateAccordionOpenAndClose":1,"openTabsWithHash":1}},"user":{"uid":0,"permissionsHash":"0f75d40308887aebba0d5b0d2671305b73c9431902f86e672380a6dc6ab97d07"}}</script> <script src="/core/misc/drupalSettingsLoader.js?v=10.4.1"></script> <script src="/modules/contrib/google_tag/js/gtag.js?ssb1i8"></script> <script src="/modules/contrib/google_tag/js/gtm.js?ssb1i8"></script> <script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DHS&subagency=CISA&yt=true" id="_fed_an_ua_tag" async></script> </head> <body class="path-node not-front node-page node-page--node-type-resource" id="top"> <div class="c-skiplinks"> <a href="#main" class="c-skiplinks__link u-visually-hidden u-focusable">Skip to main content</a> </div> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-53QLXSL9" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="l-site-container"> <section class="usa-banner" aria-label="Official government website"> <div class="usa-accordion"> <header class="usa-banner__header"> <div class="usa-banner__inner"> <div class="grid-col-auto"> <img class="usa-banner__header-flag" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/us_flag_small.png" alt="U.S. flag" /> </div> <div class="grid-col-fill tablet:grid-col-auto"> <p class="usa-banner__header-text">An official website of the United States government</p> <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p></div> <button class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here’s how you know</span> </button> </div> </header> <div class="usa-banner__content usa-accordion__content" id="gov-banner"> <div class="grid-row grid-gap-lg"> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-dot-gov.svg" alt="Dot gov"> <div class="usa-media-block__body"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> <div class="usa-banner__guidance tablet:grid-col-6"> <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-https.svg" alt="HTTPS"> <div class="usa-media-block__body"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </section> <div class="c-block c-global-header-btns c-global-btns"> <div class="l-constrain l-constrain"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/securebydesign">Secure by design </a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> <div class="usa-overlay"></div> <header class="usa-header usa-header--extended" role="banner"> <div class="usa-navbar"> <div class="l-constrain"> <div class="usa-navbar__row"> <div class="c-block c-site-header"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblock" class="c-block c-block--provider-block-content c-block--id-block-contentbc4e6844-86b4-4e20-b163-a73bda3d1d76"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/header_logo_tagline_update.svg" alt="Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience"/><img class="print-only" src = "/sites/default/files/images/SVG/header_logo_tagline_update.png" alt="Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience"/></a></div></div> </div> </div> </div> </div> </div> <div class="c-block c-site-header-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-cisaheaderblockmobile" class="c-block c-block--provider-block-content c-block--id-block-content283396c9-cd36-4ce3-b1e2-9b5576ab4f50"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><a href="/"><img src = "/sites/default/files/images/SVG/mobile_logo_wordmark.svg" alt="CISA Logo"/></a></div></div> </div> </div> </div> </div> </div> <div class="usa-navbar__search"> <div class="usa-navbar__search-header"> <p>Search</p> </div> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search"> </div> </div> </div> <button class="mobile-menu-button usa-menu-btn">Menu</button> </div> </div> </div> <div class="c-block c-tagline-mobile"> <div class="l-constrain"> <div class="c-block__content"> <div id="block-guswds-mobiletaglinecontainer" class="c-block c-block--provider-block-content c-block--id-block-contentc8d12e9d-7e48-4708-90c1-563609c4b566"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><center><img src = "/sites/default/files/images/SVG/header_tagline_mobile_update.svg" alt = "America's Cyber Defense Agency" /></center></div></div> </div> </div> </div> </div> </div> <nav class="usa-nav" role="navigation" aria-label="Primary navigation"> <div class="usa-nav__inner l-constrain"> <div class="usa-nav__row"> <button class="usa-nav__close">Close</button> <div class="usa-search"> <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script> <div class="gcse-searchbox-only" data-resultsurl="/search"> </div> </div> <ul class="usa-nav__primary usa-accordion"> <li class="usa-nav__primary-item topics"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1"> <span>Topics</span> </button> <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/topics">Topics</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cybersecurity-best-practices"> <span>Cybersecurity Best Practices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/cyber-threats-and-advisories"> <span>Cyber Threats and Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/critical-infrastructure-security-and-resilience"> <span>Critical Infrastructure Security and Resilience</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/election-security"> <span>Election Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/emergency-communications"> <span>Emergency Communications</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/industrial-control-systems"> <span>Industrial Control Systems</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/information-communications-technology-supply-chain-security"> <span>Information and Communications Technology Supply Chain Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/partnerships-and-collaboration"> <span>Partnerships and Collaboration</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/physical-security"> <span>Physical Security</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/topics/risk-management"> <span>Risk Management</span> </a> </div> </div> </div> <div class="c-menu-feature-links"> <div class="c-menu-feature-links__title"> <a href="/audiences"> How can we help? </a> </div> <div class="c-menu-feature-links__content"><a href="/topics/government">Government</a><a href="/topics/educational-institutions">Educational Institutions</a><a href="/topics/industry">Industry</a><a href="/topics/state-local-tribal-and-territorial">State, Local, Tribal, and Territorial</a><a href="/topics/individuals-and-families">Individuals and Families</a><a href="/topics/small-and-medium-businesses">Small and Medium Businesses</a><a href="/audiences/find-help-locally">Find Help Locally</a><a href="/audiences/faith-based-community">Faith-Based Community</a><a href="/audiences/executives">Executives</a><a href="/audiences/high-risk-communities">High-Risk Communities</a></div> </div> </div> </li> <li class="usa-nav__primary-item spotlight"> <a href="/spotlight" class="usa-nav__link" > <span>Spotlight</span> </a> </li> <li class="usa-nav__primary-item resources--tools"> <button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="basic-mega-nav-section-3"> <span>Resources & Tools</span> </button> <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/resources-tools">Resources & Tools</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/all-resources-tools"> <span>All Resources & Tools</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/services"> <span>Services</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/programs"> <span>Programs</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/resources"> <span>Resources</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/training"> <span>Training</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/resources-tools/groups"> <span>Groups</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item news--events"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-4"> <span>News & Events</span> </button> <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/news-events">News & Events</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/news"> <span>News</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/events"> <span>Events</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/cybersecurity-advisories"> <span>Cybersecurity Alerts & Advisories</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/directives"> <span>Directives</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/request-speaker"> <span>Request a CISA Speaker</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/news-events/congressional-testimony"> <span>Congressional Testimony</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-conferences"> <span>CISA Conferences</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-live"> <span>CISA Live!</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item careers"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5"> <span>Careers</span> </button> <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/careers">Careers</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/benefits-perks"> <span>Benefits & Perks</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/hirevue-applicant-reasonable-accommodations-process"> <span>HireVue Applicant Reasonable Accommodations Process</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/general-recruitment-and-hiring-faqs"> <span>Hiring</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/resume-application-tips"> <span>Resume & Application Tips</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/students-recent-graduates-employment-opportunities"> <span>Students & Recent Graduates</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/careers/veteran-and-military-spouse-employment-opportunities"> <span>Veteran and Military Spouses</span> </a> </div> </div> </div> </div> </li> <li class="usa-nav__primary-item about"> <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-6"> <span>About</span> </button> <div id="basic-mega-nav-section-6" class="usa-nav__submenu usa-megamenu" hidden=""> <div class="usa-megamenu__parent-link"> <a href="/about">About</a> </div> <div class="usa-megamenu__menu-items"> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/divisions-offices"> <span>Divisions & Offices</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/regions"> <span>Regions</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/leadership"> <span>Leadership</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/doing-business-cisa"> <span>Doing Business with CISA</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/site-links"> <span>Site Links</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-github"> <span>CISA GitHub</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/cisa-central"> <span>CISA Central</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us"> <span>Contact Us </span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/about/contact-us/subscribe-updates-cisa"> <span>Subscribe</span> </a> </div> </div> <div class="usa-col"> <div class="usa-nav__submenu-item"> <a href="/eeo-policies"> <span>Policies & Plans</span> </a> </div> </div> </div> </div> </li> </ul> <div class="c-block c-global-menu-btns c-global-btns"> <div class="c-block__content"> <div id="block-globalbuttons" class="c-block c-block--provider-block-content c-block--id-block-content83069f9f-34fc-4d54-86ec-936a204f8088"> <div class="c-block__content"> <div class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden"> <div class="c-field__content"><p><a class="c-button c-button--basic c-button--blue" href="/resources-tools/resources/free-cybersecurity-services-and-tools" title="Free Cyber Services">Free Cyber Services</a><a class="c-button c-button--basic c-button--green60" href="/securebydesign">Secure by design </a><a class="c-button c-button--basic c-button--teal" href="/node/18883">Secure Our World</a><a class="c-button c-button--campaign" href="/node/8056">Shields Up</a><a class="c-button c-button--report" href="/report">Report A Cyber Issue</a></p></div></div> </div> </div> </div> </div> </div> </div> </nav> </header> <div class="l-breadcrumb"> <div class="l-constrain"> <div class="l-breadcrumb__row"> <nav aria-labelledby="breadcrumb-label" class="c-breadcrumb" role="navigation"> <div class="l-constrain"> <div id="breadcrumb-label" class="c-breadcrumb__title u-visually-hidden">Breadcrumb</div> <ol class="c-breadcrumb__list"> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/">Home</a> </li> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/resources-tools">Resources & Tools</a> </li> <li class="c-breadcrumb__item"> <a class="c-breadcrumb__link" href="/resources-tools/resources">Resources</a> </li> <li class="c-breadcrumb__item"> <span aria-current="page"> Information Technology (IT) Sector-Specific Goals (SSGs) </span> </li> </ol> </div> </nav> <div id="block-bettersocialsharingbuttons" class="c-block c-block--social-share c-block--provider-better-social-sharing-buttons c-block--id-social-sharing-buttons-block"> <div class="c-block__content"> <div class="c-block__row"> <span>Share:</span> <div style="display: none"><link rel="preload" href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg" as="image" type="image/svg+xml" crossorigin="anonymous" /></div> <div class="social-sharing-buttons"> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/resources-tools/resources/information-technology-it-sector-specific-goals-ssgs&title=Information%20Technology%20%28IT%29%20Sector-Specific%20Goals%20%28SSGs%29" target="_blank" title="Share to Facebook" aria-label="Share to Facebook" class="social-sharing-buttons-button share-facebook" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#facebook" /> </svg> </a> <a href="https://twitter.com/intent/tweet?text=Information%20Technology%20%28IT%29%20Sector-Specific%20Goals%20%28SSGs%29+https://www.cisa.gov/resources-tools/resources/information-technology-it-sector-specific-goals-ssgs" target="_blank" title="Share to X" aria-label="Share to X" class="social-sharing-buttons-button share-x" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#x" /> </svg> </a> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/resources-tools/resources/information-technology-it-sector-specific-goals-ssgs" target="_blank" title="Share to Linkedin" aria-label="Share to Linkedin" class="social-sharing-buttons-button share-linkedin" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#linkedin" /> </svg> </a> <a href="mailto:?subject=Information%20Technology%20%28IT%29%20Sector-Specific%20Goals%20%28SSGs%29&body=https://www.cisa.gov/resources-tools/resources/information-technology-it-sector-specific-goals-ssgs" title="Share to Email" aria-label="Share to Email" class="social-sharing-buttons-button share-email" target="_blank" rel="noopener"> <svg aria-hidden="true" width="18px" height="18px" style="border-radius:3px;"> <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#email" /> </svg> </a> </div> </div> </div> </div> </div> </div> </div> <main id="main" class="c-main" role="main" tabindex="-1"> <div class="l-content"> <div class="is-promoted l-full"> <div class="l-full__header"> <div class="c-page-title"> <div class="c-page-title__inner l-constrain"> <div class="c-page-title__row"> <div class="c-page-title__content"> <div class="c-page-title__meta">FACT SHEET</div> <h1 class="c-page-title__title"> <span>Information Technology (IT) Sector-Specific Goals (SSGs)</span> </h1> <div class="c-page-title__fields"> <div class="c-field c-field--name-publish-date c-field--type-datetime c-field--label-above"> <div class="c-field__label">Publish Date</div><div class="c-field__content"><time datetime="2025-01-07T12:00:00Z">January 07, 2025</time></div></div> </div> <div class="c-page-title__topic"> <div class="c-topic__label"> Related topics: </div> <div class="c-top__topics"> <a href="/topics/cybersecurity-best-practices">Cybersecurity Best Practices</a>, <a href="/topics/cybersecurity-best-practices/organizations-and-cyber-safety">Organizations and Cyber Safety</a> </div> </div> </div> </div> <div class="c-page-title__decoration"></div> </div> </div> </div> <div class="l-full__main"> <div class="l-page-section l-page-section--rich-text"> <div class="l-constrain"> <div class="l-page-section__content"> <h4><strong>Information Technology (IT) Sector-Specific Goals (SSGs) Overview</strong></h4> <p>The IT SSGs are additional voluntary practices with high-impact security actions, beyond the Cross-Sector CPGs, that outline measures IT Sector businesses and critical infrastructure owners can take to protect themselves against cyber threats. They were developed based on CISA’s operational data, research on the current threat landscape, and in collaboration with government, industry groups, and private sector experts. </p> <p>Learn more about the Cross-Sector CPGs that SSGs are based off of by clicking here:  <a href="https://edit.cisa.gov/cybersecurity-performance-goals-cpgs-0">Cybersecurity Performance Goals (CPGs)</a>.</p> <h4><strong>Software Development (SD) Process Goals</strong></h4> <dl class="ckeditor-accordion"> <dt><strong>IT/SD SSG #1 - Separate all environments used in software development</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>All environments used in software development, including development, build, test, and distribution environments, are separated from each other to prevent unauthorized access to sensitive data and systems</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Reduce the risk of lateral movement or privilege escalation between development and sensitive business environments (TA0008)</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>All software development environments.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>All software development environments should be logically separated from each other and enforced via controls such as network segmentation and access controls.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations separate all environments used in software development, including development, build, test, and distribution? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.5.1  </li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>PR.PS-06</li> <li>PR.IR-01</li> <li>PR.IR-03</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>1a) Separating and protecting each environment involved in developing and building software;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Medium</li> </ul> <p><strong>Impact:              </strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>High</li> </ul> </dd> <dt><strong>IT/SD SSG #2 - Regularly log, monitor, and review trust relationships used for authorization and access across software development environments</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>All software development environments and tooling have associated logging and monitoring mechanisms</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Lateral movement, privilege escalation, insider threats, data exfiltration</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>All software development environments.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Perform a review of all software development environments and tooling to verify associated logging capabilities and functions are enabled.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations have the ability to audit access all environments used in software development? (Yes/No)</li> <li>Are audit logs available and monitored? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.5.1  </li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>PR.PS-04</li> <li>DE.CM-03</li> <li>DE.CM-06</li> <li>DE.CM-09</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>1b) Regularly logging, monitoring, and auditing<br>    trust relationships used for authorization and access:<br>    i) to any software development and build<br>    environments; and<br>    ii) among components within each<br>    environment;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Medium</li> </ul> <p><strong>Impact:              </strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/SD SSG #3 Enforce Multi-Factor Authentication (MFA) across software development environments</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Users are required to authenticate into software development environments with multi-factor authentication (MFA)</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Initial access, privilege escalation, lateral movement, code misconfigurations, outdated code dependencies</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Require MFA (ideally phishing-resistant MFA) to access all software development environments.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Is MFA required to access all software development environments? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.5.1</li> <li>PO.5.2</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>PR.AA-01</li> <li>PR.AA-03</li> <li>PR.AA-04</li> <li>PR.AA-05</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>1c) Enforcing multi-factor authentication and conditional access across the environments relevant to developing and building software in a manner that minimizes security risk;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:              </strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Low</li> </ul> </dd> <dt><strong>IT/SD SSG #4 Establish and enforce security requirements for software products used across software development environments</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Organizations have defined processes, policies, and procedures for managing risks of software products used across software development environments</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Misconfigurations, Shadow IT, supply chain vulnerabilities, insecure code</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Document processes, policies, and procedures for managing risks of software products used across software development environments.</li> <li>Maintain, replace, and remove software in accordance with policies, processes, and procedures.</li> <li>Assess the authenticity and integrity of software prior to use in environments.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations have documentation that defines policies, processes, and procedures for managing risks of software products used across development environments? (Yes/No)</li> <li>Has the authenticity and integrity of the software been verified prior to installation in development environments? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.5.1</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>ID.AM-08</li> <li>ID.RA-09</li> <li>PR.PS-02</li> <li>PR.PS-05</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>1d) Taking consistent and reasonable steps to document and minimize use or inclusion of software products that create undue risk in the environments used to develop and build software;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:              </strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/SD SSG #5 Securely store and transmit credentials used in software development environments</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Organizations have eliminated the insecure storage and transmission of plaintext credentials</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Lateral movement, privilege escalation, insider threats, data exfiltration</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>All software development environments.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Do not store sensitive data or credentials in source code. Instead, store sensitive data and credentials in an encrypted manner, such as using a secret manager.</li> <li>Securely store and rotate SSH keys.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Have organizations eliminated the insecure storage of credentials and other sensitive data in source code? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.5.2</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>ID.AM-08</li> <li>PR.DS-01</li> <li>PR.DS-02</li> <li>PR.DS-10</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>1e) Encrypting sensitive data, such as credentials, to the extent practicable and based on risk;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Medium</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/SD SSG #6 Implement effective perimeter and internal network monitoring solutions with streamlined, real-time alerting to aid responses to suspected and confirmed cyber incidents</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>The organization monitors environments to determine the presence of indicators of compromise (IOCs).</li> <li>Upon determination of suspected or actual IOCs, the incident response playbook is activated.</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Initial access, lateral movement, command and control (C2), privilege escalation, data exfiltration, insider threats</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Hardware, software, and firmware.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Establish an incident response playbook with criteria for declaring incidents, along with protocols that clearly define roles, responsibilities, and identifies stakeholders who require notification.</li> <li>Designate an enterprise incident response team and conduct frequent tabletop exercises.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations have perimeter and internal network monitoring solutions with real time alerting capabilities? (Yes/No)</li> <li>Do organizations have a documented incident response playbook with defined criteria and protocols to follow once an incident is declared? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.3.2</li> <li>PO.3.3</li> <li>PO.5.1</li> <li>PO.5.2</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>DE.CM-01</li> <li>DE.CM-03</li> <li>DE.CM-06</li> <li>DE.CM-09</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>1f) Implementing defensive cybersecurity practices, including continuous monitoring of operations and alerts and, as necessary, responding to suspected and confirmed cyber incidents;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>High</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/SD SSG #7 Establish a software supply chain risk management program</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Cybersecurity supply chain risk management practices are integrated into the software development lifecycle.</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Code tampering, outdated code dependencies, data breaches.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Conduct code testing and audit software supply chain practices and document the activities conducted.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations have documentation that explicitly defines the roles, responsibilities, and requirements for code testing? (Yes/No)</li> <li>Do organizations document code testing and auditing activities involving software supply chain practices? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO 1.1</li> <li>PO.3.1</li> <li>PO.3.2</li> <li>PO.5.1</li> <li>PO.5.2</li> <li>PS.1.1</li> <li>PS.2.1</li> <li>PS.3.1</li> <li>PW.4.1</li> <li>PW.4.4</li> <li>PW 7.1</li> <li>PW 8.1</li> <li>RV 1.1</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>ID.AM-02</li> <li>GV.SC-01</li> <li>GV.SC-02</li> <li>GV.SC-03</li> <li>GV.SC-04</li> <li>GV.SC-05</li> <li>GV.SC-06</li> <li>GV.SC-07</li> <li>GV.SC-08</li> <li>GV.SC-09</li> <li>GV.SC-10</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>2) The software producer is making a dedicated effort to maintain trusted source code supply chains for both internally produced and third party-provided components;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>High</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/SD SSG #8 Make a Software Bill of Materials (SBOM) available to customers</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Customers should be provided with documentation that demonstrates component provenance.</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Code tampering, outdated code dependencies, data breaches.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Develop a Software Bill of Materials (SBOM) and provide it to customers with each product.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations have a Software Bill of Materials (SBOM) that accompanies their software products? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.1.3</li> <li>PO.3.2</li> <li>PO.5.1</li> <li>PO.5.2</li> <li>PS.3.1</li> <li>PS.3.2</li> <li>PW.4.1</li> <li>PW.4.4</li> <li>RV.1.1</li> <li>RV.1.2</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>GV.SC-03</li> <li>GV.SC-06</li> <li>GV.SC-07</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>3) The software producer maintains provenance for internal code and third-party components incorporated into the software to the greatest extent feasible;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>High</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>High</li> </ul> </dd> <dt><strong>IT/SD SSG #9 Inspect source code for vulnerabilities through automated tools or comparable processes and mitigate known vulnerabilities prior to any release of products, versions, or update releases   </strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Security testing is conducted in a codified, repeatable, and time sensitive fashion on new and current products.</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Initial access, privilege escalation, lateral movement, code misconfigurations, outdated code dependencies.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Perform Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) where appropriate.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations employ automated tools or comparable processes that inspect source code for vulnerabilities prior to product, version, or update releases? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.4.1</li> <li>PO.4.2</li> <li>PS.1.1</li> <li>PW.2.1</li> <li>PW.4.4</li> <li>PW.5.1</li> <li>PW.6.1</li> <li>PW.6.2</li> <li>PW.7.1</li> <li>PW.7.2</li> <li>PW.8.2</li> <li>PW.9.1</li> <li>PW.9.2</li> <li>RV.1.1</li> <li>RV.1.2</li> <li>RV.1.3</li> <li>RV.2.1</li> <li>RV.2.2</li> <li>RV.3.3</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>ID.AM-02</li> <li>ID.AM-08</li> <li>ID.RA-09</li> <li>PR.PS-02</li> <li>PR.PS-06</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>4a) The software producer employs automated tools or comparable processes that check for security vulnerabilities. The software producer operates these processes on an ongoing basis and, at a minimum, prior to product, version, or update releases;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Medium</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/SD SSG #10 Address identified vulnerabilities prior to product release</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Identification of vulnerabilities prior to release triggers an action to either remediate or address the vulnerability before release.</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Initial access, privilege escalation, lateral movement, code misconfigurations, outdated code dependencies.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Develop, maintain, and execute a process or policy that governs actions to take upon identification of a security vulnerability prior to a product release.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Is there a codified policy or process whereby any vulnerabilities identified before release are addressed? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.4.1</li> <li>PO.4.2</li> <li>PS.1.1</li> <li>PW.2.1</li> <li>PW.4.4</li> <li>PW.5.1</li> <li>PW.6.1</li> <li>PW.6.2</li> <li>PW.7.1</li> <li>PW.7.2</li> <li>PW.8.2</li> <li>PW.9.1</li> <li>PW.9.2</li> <li>RV.1.1</li> <li>RV.1.2</li> <li>RV.1.3</li> <li>RV.2.1</li> <li>RV.2.2</li> <li>RV.3.3</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>ID.AM-08</li> <li>ID.RA-01</li> <li>ID.RA-04</li> <li>ID.RA-05</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>4b) The software producer has a policy or process to address discovered security vulnerabilities prior to product release;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/SD SSG #11 Publish a vulnerability disclosure policy</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Publish a vulnerability disclosure policy that meets the defined criteria.</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Initial access, privilege escalation, lateral movement, code misconfigurations, outdated code dependencies.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.</li> <li>Address disclosed software vulnerabilities in a timely fashion.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations have a published vulnerability disclosure policy that meets the defined criteria? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.4.1</li> <li>PO.4.2</li> <li>PS.1.1</li> <li>PW.2.1</li> <li>PW.4.4</li> <li>PW.5.1</li> <li>PW.6.1</li> <li>PW.6.2</li> <li>PW.7.1</li> <li>PW.7.2</li> <li>PW.8.2</li> <li>PW.9.1</li> <li>PW.9.2</li> <li>RV.1.1</li> <li>RV.1.2</li> <li>RV.1.3</li> <li>RV.2.1</li> <li>RV.2.2</li> <li>RV.3.3</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>ID.RA-01</li> <li>ID.RA-04</li> <li>ID.RA-05</li> <li>ID.RA-08</li> </ul> <p><strong>CISA Secure Software Development Attestation</strong></p> <ul> <li>4c) The software producer operates a vulnerability disclosure program and accepts, reviews, and addresses disclosed software vulnerabilities in a timely fashion and adheres to any timelines specified in the vulnerability disclosure program or applicable policies.</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Low</li> </ul> </dd> </dl> <p> </p> <h4><strong>Product Design (PD) Goals</strong></h4> <dl class="ckeditor-accordion"> <dt><strong>IT/PD SSG #1 Increase the use of multifactor authentication (MFA)</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>More users use MFA to authenticate</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>TA0006 Credential Access.</li> <li>Reduce the risk of password compromise or utilization of weak passwords.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Increase the use of MFA, such as by implementing enabling MFA (ideally, phishing-resistant MFA) by default for users and administrators.</li> <li>Implementing “seat belt chimes” in products to nudge users towards enabling MFA. This could include, banners or interstitials notifying users or administrators that MFA is not enabled or suggesting that administrators enable phishing-resistant MFA.</li> <li>Supporting standards-based single sign-on (SSO) in the baseline version of the product, allowing customers to configure with their own identity provider that supports MFA.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>What percent of users on the organization's products use MFA?</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.1.1</li> <li>PO.1.2</li> <li>PO 1.3</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>PR.AA-02</li> <li>PR.AA-03</li> <li>PR.AA-04</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:              </strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Low</li> </ul> </dd> <dt><strong>IT/PD SSG #2 Reduce default passwords</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>The product does not use default passwords</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>T0812 Default Credentials.</li> <li>Adversaries may leverage manufacturer or supplier set default credentials on control system devices.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <p>Eliminate default passwords from the organization's software products. Instead, take an alternate approach, such as:</p> <ul> <li>Providing random, instance-unique initial passwords for the product.</li> <li>Requiring the user who installs the product to create a strong password at the start of the installation process.</li> <li>Providing time-limited setup passwords that disable themselves when a setup process is complete and require configuration of a secure password (or more secure authentication approaches, such as phishing-resistant MFA).</li> <li>Requiring physical access for initial setup and the specification of instance-unique credentials.</li> <li>Conducting campaigns or offering updates that transition existing deployments from default passwords to more secure authentication mechanisms..</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>How many of the organization's products use default passwords?</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.1.1</li> <li>PO.1.2</li> <li>PO 1.3</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>PR.AA-01;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/PD SSG #3 Reduce entire classes of vulnerabilities</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Organizations should proactively reduce systemic classes of vulnerabilities</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Code tampering, outdated code dependencies, data breaches</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <p>Take approaches to work towards reduce entire classes of vulnerabilities, such as:</p> <ul> <li>Implement parameterized queries to reduce SQL injection vulnerabilities.</li> <li>Transition to utilizing memory safe languages to reduce memory safety vulnerabilities.</li> <li>Utilize web template frameworks to reduce cross-site scripting (XSS) vulnerabilities.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Has the organization taken steps toward reducing classes of vulnerabilities from their products? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.1.2</li> <li>RV.3.3</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>PR.PS-02</li> <li>PR.PS-06;</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>High</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>High</li> </ul> </dd> <dt><strong>IT/PD SSG #4 Provide customers with security patching in a timely manner</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Security patches are offered on a widespread basis to customers</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Initial access, privilege escalation, lateral movement</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Provide security patches to customers in a timely manner and on a widespread basis</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations provide security patches to customers in a timely manner and on a widespread basis? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>RV.2.2</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>PR.DS-01</li> <li>PR.PS-02</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Medium</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/PD SSG #5 Ensure customers understand when products are nearing end of life support and security patches will no longer be provided</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Users understand when software is no longer supported and will transition to supported products</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Inadequate patching of software vulnerabilities exposes systems to significant risk</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Notify customers and confirm receipt of notification stating product(s) are nearing end of life support and security patches will no longer be provided.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do organizations notify customers and confirm receipt of notification stating product(s) are nearing end of life support and security patches will no longer be provided to customers? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.1.2</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>ID.AM-08</li> <li>PR.PS-06</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Low</li> </ul> </dd> <dt><strong>IT/PD SSG #6 Include Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the organization's products.</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>CVEs that meet the defined criteria are published and CWE and CPE fields are included in all CVEs.</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Initial access, privilege escalation, lateral movement, code misconfigurations, outdated code dependencies.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Include accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the organization's products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do the organization's CVEs include the CPE and CWE fields? (Yes/No)</li> <li>Does the organization publicly describe their policy for when a CVE is issued? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.4.1</li> <li>PO.4.2</li> <li>PS.1.1</li> <li>PW.2.1</li> <li>PW.4.4</li> <li>PW.5.1</li> <li>PW.6.1</li> <li>PW.6.2</li> <li>PW.7.1</li> <li>PW.7.2</li> <li>PW.8.2</li> <li>PW.9.1</li> <li>PW.9.2</li> <li>RV.1.1</li> <li>RV.1.2</li> <li>RV.1.3</li> <li>RV.2.1</li> <li>RV.2.2</li> <li>RV.3.3</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>ID.RA-08</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Medium</li> </ul> </dd> <dt><strong>IT/PD SSG #7 Increase the ability for customers to gather evidence of cybersecurity intrusions affecting the organization's products</strong></dt> <dd> <p><strong>Outcome:</strong></p> <ul> <li>Customers have access and ability to monitor and respond to intrusions affecting the product.</li> </ul> <p><strong>TTP or Risk Addressed: </strong></p> <ul> <li>Initial access, privilege escalation, lateral movement.</li> </ul> <p><strong>Scope: </strong></p> <ul> <li>Software.</li> </ul> <p><strong>Recommended Action: </strong></p> <ul> <li>Verify whether all products, to the extent possible, have logging capabilities.</li> </ul> <p><strong>Measurement</strong></p> <ul> <li>Do all customers have the ability to monitor and respond to cybersecurity intrusions affecting the organization's products? (Yes/No)</li> </ul> <p><strong>NIST SSDF Reference: </strong></p> <ul> <li>PO.5.1</li> </ul> <p><strong>NIST CSF 2.0 Reference: </strong></p> <ul> <li>PR.PS-04</li> <li>DE.CM-09</li> </ul> <p><strong>Cost:</strong></p> <ul> <li>Low</li> </ul> <p><strong>Impact:</strong></p> <ul> <li>High</li> </ul> <p><strong>Complexity:</strong></p> <ul> <li>Low</li> </ul> </dd> </dl> <p> </p> </div> </div> </div> </div> <div class="l-full__footer"> <div class="l-constrain"> <a href="#" class="c-button c-button--small c-button__print">Printer Friendly Version</a> </div> <div class="l-page-section l-page-section--tags l-page-section--rich-text"> <div class="l-constrain"> <div class="l-page-section__content"> <h3>Tags</h3> <div class="c-field"> <strong>Topics</strong>: <a href="/topics/cybersecurity-best-practices">Cybersecurity Best Practices</a>, <a href="/topics/cybersecurity-best-practices/organizations-and-cyber-safety">Organizations and Cyber Safety</a> </div> </div> </div> </div> <div class="c-view c-view--detail-page-related-content c-view--display-block_4 view js-view-dom-id-3d7fcc43231df0523b00c0af7a2b9da89468df48d0ec0c5c756d41c04f85d3e4 c-collection c-collection--blue c-collection--two-column"> <div class="l-constrain"> <div class="c-collection__row"> <div class="c-collection__content"> <h2 class="c-collection__title"><span class="c-collection__title-wrap">Related Resources</span></h2> </div> <div class="c-collection__cards"> <article class="is-promoted c-teaser c-teaser--horizontal" role="article"> <div class="c-teaser__row"> <div class="c-teaser__content"> <div class="c-teaser__eyebrow"> <div class="c-teaser__date"><time datetime="2025-02-12T12:00:00Z">Feb 12, 2025</time> </div> <div class="c-teaser__meta">Fact Sheet, Publication</div> </div> <h3 class="c-teaser__title"> <a href="/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities" target="_self"> <span>Secure by Design Alert: Eliminating Buffer Overflow Vulnerabilities</span> </a> </h3> </div> </div> </article> <article class="is-promoted c-teaser c-teaser--horizontal" role="article"> <div class="c-teaser__row"> <div class="c-teaser__content"> <div class="c-teaser__eyebrow"> <div class="c-teaser__date"><time datetime="2025-02-04T12:00:00Z">Feb 04, 2025</time> </div> <div class="c-teaser__meta">External, Publication</div> </div> <h3 class="c-teaser__title"> <a href="/resources-tools/resources/guidance-and-strategies-protect-network-edge-devices" target="_self"> <span>Guidance and Strategies to Protect Network Edge Devices</span> </a> </h3> </div> </div> </article> <article class="is-promoted c-teaser c-teaser--horizontal" role="article"> <div class="c-teaser__row"> <div class="c-teaser__content"> <div class="c-teaser__eyebrow"> <div class="c-teaser__meta">Fact Sheet</div> </div> <h3 class="c-teaser__title"> <a href="/resources-tools/resources/contec-cms8000-contains-backdoor" target="_self"> <span>Contec CMS8000 Contains a Backdoor</span> </a> </h3> </div> </div> </article> <article class="is-promoted c-teaser c-teaser--horizontal" role="article"> <div class="c-teaser__row"> <div class="c-teaser__content"> <div class="c-teaser__eyebrow"> <div class="c-teaser__date"><time datetime="2025-01-15T12:00:00Z">Jan 15, 2025</time> </div> <div class="c-teaser__meta">Publication</div> </div> <h3 class="c-teaser__title"> <a href="/resources-tools/resources/microsoft-expanded-cloud-logs-implementation-playbook" target="_self"> <span>Microsoft Expanded Cloud Logs Implementation Playbook</span> </a> </h3> </div> </div> </article> </div> </div> </div> </div> </div> </div> </div> </main> <footer class="usa-footer usa-footer--slim" role="contentinfo"> <div class="usa-footer__return-to-top"> <div class="l-constrain"> <a href="#top">Return to top</a> </div> </div> <div class="usa-footer__upper"> <div class="l-constrain"> <ul class="c-menu c-menu--footer-main"> <li class="c-menu__item"> <a href="/topics" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7329">Topics</a> </li> <li class="c-menu__item"> <a href="/spotlight" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7330">Spotlight</a> </li> <li class="c-menu__item is-active-trail"> <a href="/resources-tools" class="c-menu__link js-top-level is-active-trail" aria-current="false" data-drupal-link-system-path="node/7331">Resources & Tools</a> </li> <li class="c-menu__item"> <a href="/news-events" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7332">News & Events</a> </li> <li class="c-menu__item"> <a href="/careers" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7323">Careers</a> </li> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/6944">About</a> </li> </ul> </div> </div> <div class="usa-footer__main"> <div class="l-constrain"> <div class="usa-footer__main-row"> <div class="usa-footer__brand"> <a class="c-site-name c-site-name--footer" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage"> <span class="c-site-name__text">Cybersecurity & Infrastructure Security Agency</span> </a> </div> <div class="usa-footer__contact"> <ul class="c-menu c-menu--social"> <li class="c-menu__item"> <a href="https://www.facebook.com/CISA" class="c-menu__link--facebook c-menu__link js-top-level" aria-current="false">Facebook</a> </li> <li class="c-menu__item"> <a href="https://x.com/CISAgov" class="c-menu__link--twitter c-menu__link js-top-level" aria-current="false">X</a> </li> <li class="c-menu__item"> <a href="https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency" class="c-menu__link--linkedin c-menu__link js-top-level" aria-current="false">LinkedIn</a> </li> <li class="c-menu__item"> <a href="https://www.youtube.com/@cisagov" class="c-menu__link--youtube c-menu__link js-top-level" aria-current="false">YouTube</a> </li> <li class="c-menu__item"> <a href="https://www.instagram.com/cisagov" class="c-menu__link--instagram c-menu__link js-top-level" aria-current="false">Instagram</a> </li> <li class="c-menu__item"> <a href="/subscribe-updates-cisa" class="c-menu__link--rss c-menu__link js-top-level" aria-current="false">RSS</a> </li> </ul> <div class="usa-footer__contact-info"> <span>CISA Central</span> <a href="tel:1-844-Say-CISA">1-844-Say-CISA</a> <a href="mailto:SayCISA@cisa.dhs.gov">SayCISA@cisa.dhs.gov</a> </div> </div> </div> </div> </div> <div class="usa-footer__lower"> <div class="l-constrain"> <div class="usa-footer__lower-row"> <div class="usa-footer__lower-left"> <div class="c-dhs-logo"> <div class="c-dhs-logo__seal">DHS Seal</div> <div class="c-dhs-logo__content"> <div class="c-dhs-logo__url">CISA.gov</div> <div class="c-dhs-logo__text">An official website of the U.S. Department of Homeland Security</div> </div> </div> <ul class="c-menu c-menu--footer"> <li class="c-menu__item"> <a href="/about" class="c-menu__link js-top-level" title="About CISA" aria-current="false" data-drupal-link-system-path="node/6944">About CISA</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/performance-financial-reports" class="c-menu__link js-top-level" title="Budget and Performance" aria-current="false">Budget and Performance</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov" title="Department of Homeland Security" class="c-menu__link js-top-level" aria-current="false">DHS.gov</a> </li> <li class="c-menu__item"> <a href="https://www.dhs.gov/foia" class="c-menu__link js-top-level" title="FOIA Requests" aria-current="false">FOIA Requests</a> </li> <li class="c-menu__item"> <a href="/no-fear-act" title="No FEAR Act Reporting" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/21494">No FEAR Act</a> </li> <li class="c-menu__item"> <a href="https://www.oig.dhs.gov/" class="c-menu__link js-top-level" title="Office of Inspector General" aria-current="false">Office of Inspector General</a> </li> <li class="c-menu__item"> <a href="/privacy-policy" class="c-menu__link js-top-level" title="Privacy Policy" aria-current="false" data-drupal-link-system-path="node/16115">Privacy Policy</a> </li> <li class="c-menu__item"> <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138" title="Subscribe to Email Updates" class="c-menu__link js-top-level" aria-current="false">Subscribe</a> </li> <li class="c-menu__item"> <a href="https://www.whitehouse.gov/" class="c-menu__link js-top-level" title="The White House" aria-current="false">The White House</a> </li> <li class="c-menu__item"> <a href="https://www.usa.gov/" class="c-menu__link js-top-level" title="USA.gov" aria-current="false">USA.gov</a> </li> <li class="c-menu__item"> <a href="/forms/feedback" title="Website Feedback" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="forms/feedback">Website Feedback</a> </li> </ul> </div> <div class="usa-footer__lower-right"> <iframe src="https://www.dhs.gov/ntas/" name="National Terrorism Advisory System" title="National Terrorism Advisory System" width="170" height="180" scrolling="no" frameborder="0" seamless border="0" ></iframe> </div> </div> </div> </div> </footer> </div> </div> <script src="/core/assets/vendor/jquery/jquery.min.js?v=3.7.1"></script> <script src="/core/assets/vendor/once/once.min.js?v=1.0.1"></script> <script src="/core/misc/drupal.js?v=10.4.1"></script> <script src="/core/misc/drupal.init.js?v=10.4.1"></script> <script src="/core/assets/vendor/tabbable/index.umd.min.js?v=6.2.0"></script> <script src="/modules/contrib/ckeditor_accordion/js/accordion.frontend.min.js?ssb1i8"></script> <script src="/modules/contrib/extlink/js/extlink.js?v=10.4.1"></script> <script src="/core/misc/jquery.form.js?v=4.3.0"></script> <script src="/core/misc/progress.js?v=10.4.1"></script> <script src="/core/assets/vendor/loadjs/loadjs.min.js?v=4.3.0"></script> <script src="/core/misc/debounce.js?v=10.4.1"></script> <script src="/core/misc/announce.js?v=10.4.1"></script> <script src="/core/misc/message.js?v=10.4.1"></script> <script src="/core/misc/ajax.js?v=10.4.1"></script> <script src="/modules/contrib/google_tag/js/gtag.ajax.js?ssb1i8"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/breadcrumb.es6.js?ssb1i8"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/common.js?ssb1i8"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds-init.es6.js?ssb1i8"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds.es6.js?ssb1i8"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/resource.es6.js?ssb1i8"></script> <script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/teaser.es6.js?ssb1i8"></script> </body> </html>

CINXE.COM

Information Technology (IT) Sector-Specific Goals (SSGs) | CISA