Key Security Indicators

The effectiveness of relevant cybersecurity education and training is persistently reviewed, including at least general training for all employees, role-specific training for employees in high risk roles, training for development and engineering staff on secure software delivery, and training for staff involved with incident response or disaster recovery.

Modifications to the cloud service offering are logged and monitored.

Changes to machine-based information resources are executed through the redeployment of version controlled resources rather than direct modification wherever reasonable.

The effectiveness of documented change management procedures is persistently reviewed.

Persistent testing and validation of changes throughout deployment is automated.

The functionality and privileges for infrastructure and services are strictly defined.

The use and configuration of third-party machine-based information resources is persistently compared against the original provider's best practices and guidance.

Machine-based information resources are persistently reviewed to ensure they have a minimal attack surface and that lateral movement is minimized if compromised.

Machine-based information resources are persistently reviewed to ensure they are appropriately optimized for high availability and rapid recovery.

Machine-based information resources are persistently reviewed to ensure they are appropriately configured to limit inbound and outbound network traffic.

The effectiveness of protection against denial of service attacks and other unwanted activity for machine-based information resources is persistently reviewed.

Logical networking and related capabilities are used and persistently reviewed to enforce traffic flow controls.

The lifecycle and privileges of all accounts, roles, and groups are securely managed using automation.

Secure passwordless methods are used for user authentication and authorization when feasible, otherwise strong passwords with phishing-resistant MFA is used.

Identity and access management measures are used and persistently reviewed to ensure each user or device can only access the resources they need.

A least-privileged, role and attribute-based, and just-in-time security authorization model is used and persistently reviewed for all user and non-user accounts and services.

Appropriately secure authentication methods are used and persistently reviewed for non-user accounts and services.

Accounts with privileged access are disabled or otherwise secured in response to suspicious activity.

Incident after action reports are generated and lessons learned are persistently incorporated.

The effectiveness of documented incident response procedures is persistently reviewed.

Past incidents are persistently reviewed for patterns or vulnerabilities that were not previously apparent or identified.

The configuration of machine-based information resources, especially infrastructure as code, is persistently evaluated and tested.

A list of information resources and event types that will be logged, monitored, and audited is maintained and persistently reviewed to ensure these activities occur.

A Security Information and Event Management (SIEM) or similar system(s) is used and persistently reviewed for centralized, tamper-resistant logging of events, activities, and changes.

Logs are persistently reviewed and audited.

Authoritative sources are used to automatically generate real-time inventories of all information resources when needed.

Executive support for achieving the provider's security goals is persistently reviewed and demonstrated.

The effectiveness of the provider's investments in achieving security goals is persistently reviewed.

The effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles is persistently reviewed.

The effectiveness of the provider's vulnerability disclosure program is persistently reviewed.

The alignment of machine-based information resource backups with defined recovery objectives is persistently reviewed.

The alignment of recovery plans with defined recovery objectives is persistently reviewed.

The desired Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined and persistently reviewed for alignment with the provider's business needs and capabilities.

The capability to recover from incidents and contingencies aligned with defined recovery objectives is persistently tested.

Persistently identify, review, and mitigate potential supply chain risks.

Third party software information resources are automatically monitored for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services.

The configuration of machine-based information resources is managed using automation and persistently reviewed for drift.

Management, protection, and regular rotation of digital keys, certificates, and other secrets is automated and persistently reviewed.

Information resources are persistently evaluated for opportunities to improve security and those improvements are persistently made.

Information is encrypted or otherwise secured from unwanted access or modification.

Use cryptographic methods to validate the integrity of machine-based information resources.