The Center for Internet Security and Council on CyberSecurity Launch a Nationwide Campaign for Basic Cyber Hygiene in Support of NIST Framework Adoption

Share Article

Campaign provides key recommendations for state and local governments to adopt immediate, low-cost, and effective defenses against cyber attacks

Center for Internet Security
By adopting the foundational measures of the Campaign, organizations can improve their readiness to defend against cyber attack.

Today, the Center for Internet Security (CIS) and Council on CyberSecurity (CCS), working with the Department of Homeland Security (DHS), and the National Governors Association Governors Homeland Security Advisors Council (GHSAC), launched the Cyber Hygiene Campaign. The Campaign provides key recommendations for organizations to adopt immediate, low-cost, and effective defenses against cyber attacks and are directly mapped to the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

This multi-year effort will help both the public and private sectors to immediately and measurably improve their readiness to defend against the ever-increasing volume of cyber attacks. By adopting the foundational measures outlined in the Campaign, organizations can prioritize and take the most effective measures that will result in immediate and measurable protections against the vast majority of cyber attacks and incidents.

The Cyber Hygiene Campaign supports DHS’s launch of the Critical Infrastructure Cyber Community (C3) Voluntary Program—to assist owners and operators of critical infrastructure systems in using the NIST Framework to improve their network security. NIST released the Framework in February.

Dr. Phyllis Schneck, Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) at DHS said: “Increasing the security and resilience of the systems we all rely on requires a collaborative effort. This Cyber Hygiene Campaign supports the DHS Critical Infrastructure Cyber Community (C3) Voluntary Program’s efforts to help organizations large and small, both public and private, implement the Cybersecurity Framework and improve their cyber practices through a practical approach to addressing evolving threats and challenges.”

Recognizing that there are many important components of a strong cyber security program, the first phase of the Cyber Hygiene Campaign looks at the most critical areas that must be addressed. Subsequent phases will focus on additional steps to improve cyber security. The Campaign initially prioritizes the top five actions to address the most critical areas, which when implemented, can prevent 80 percent of all known attacks:

1. Inventory authorized and unauthorized devices;
2. Inventory authorized and unauthorized software;
3. Develop and manage secure configurations for all devices;
4. Conduct continuous (automated) vulnerability assessment and remediation; and
5. Actively manage and control the use of administrative privileges.

These five steps align with leading industry guides, including the Critical Security Controls for Effective Cyber Defense, managed by the CCS, and the Australian Government’s Strategies to Mitigate Targeted Cyber Intrusions.

The Cyber Hygiene Campaign is working with state governments to help create a movement toward adoption by all states. In that regard, the GHSAC adopted the Campaign as a key focal point of its 2014/2015 program agenda and will encourage the use of funding through the federal Homeland Security Grant Program (HSGP) to help implement the Campaign’s recommendations for state and local governments. CIS and CCS will provide independent, expert guidance to the Homeland Security Advisors in reviewing grant applications so that they identify measures most important to protecting their networks and systems from cyber attack.

William Pelgrin, CIS President and CEO said: “The critical importance of defending our assets from cyber threat demands continued efforts. Today, the vast majority of cyber attacks are successful due to failure to implement basic cyber hygiene. Those cornerstones of cyber hygiene are: know your environment; secure your environment; control your environment; and monitor your environment. This Campaign, and the collaboration of CIS, CSC, NGA and GHSAC will help organizations improve their cyber hygiene. By adopting these healthy habits, we can make significant and immediate improvements toward cyber safety.”

Franklin S. Reeder, Chairman of the Board of the Council said: “The Council believes that all three elements of the cyber ecosystem—people, technology and policy—must be considered together and brought into alignment in order to create a foundation of security practices that are understandable and usable. The Council is pleased to be a part of this collaborative effort to help SLTT governments address these three elements through the implementation of the Top 20 Critical Security Controls and other best practices.”

NGA Executive Director Dan Crippen said: "The GHSAC's participation in this campaign directly aligns with the recommendations that Maryland Gov. Martin O'Malley and Michigan Gov. Rick Snyder developed through the NGA Resource Center for State Cybersecurity. The nation's homeland security advisors are actively assisting governors to establish a baseline of effective cybersecurity practices through this campaign. Ultimately, this is another example of states leading the way to improve the nation's cyber defenses."

Maj. Gen. Donald Dunbar, Wisconsin Homeland Security Advisor and GHSAC Chairman said: "The GHSAC is pleased to partner with the Council on CyberSecurity and Center for Internet Security on this Cyber Hygiene Campaign. Our Governors are committed to the pervasive challenges associated with cyber threats and have instituted a "Call to Action." This Campaign supports our governors' objectives by providing a realistic, logical and verifiable place to start. Adopting these recommendations will not make you immune from cyber attack, but will make any network more resistant and resilient. This concept is similar to vaccination against the flu - it is not 100 percent guaranteed, but those who get the shot are much less likely to suffer the flu. We all agree on the problem. What we need is a common sense place to start and this Campaign is that first step."

For more information about the Campaign, including tools for use in determining the status of your systems and networks visit CIS. Greater detail regarding these foundational measures can also be found at

About the Council on CyberSecurity
The Council on CyberSecurity is an independent, expert, not-for-profit organization with a global scope committed to the security of an open Internet. The Council is committed to the ongoing development and widespread adoption of the Critical Controls, to elevating the competencies of the cybersecurity workforce, and to the development of policies that lead to measurable improvements in our ability to operate safely, securely and reliably in cyberspace. For more information, visit the website at

About the GHSAC
The Governors Homeland Security Advisors Council (GHSAC), formed by the National Governors Association, provides an organizational structure through which the homeland security advisors from each state, territory and the District of Columbia can discuss homeland security issues, share information and expertise and keep governors informed of the issues affecting homeland security policies in the states.

About the Center for Internet Security
The Center for Internet Security (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS produces consensus-based, best practice secure configuration benchmarks and security automation content, and serves as the key cyber security resource for state, local, territorial and tribal governments, including chief information security officers, homeland security advisors and fusion centers. CIS provides products and resources that help partners achieve security goals through expert guidance and cost-effective solutions. To learn more please visit or follow us at @CISecurity.

Krista Montie
The Center for Internet Security

Liz Grimes
PR Director - Overit
518-465-8829 x 213

Maurice Uenuma
Council on CyberSecurity
Chief Operating Officer

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Krista Montie
Visit website