Skip to main content

Image

Cybersecurity Program Audit Guide

Jump To:

Components

Overview

The Cybersecurity Program Audit Guide (CPAG) provides guidance to identify cybersecurity program weaknesses and develop appropriate recommendations for corrective actions. This guide is intended for Congress, federal agencies, state and local auditors, the private sector, and non-profits. The guide is to be used in conducting cybersecurity performance audits. 

Developed with the help of federal officials as well as industry experts, this guidebook outlines the methodology for performing cybersecurity control audits in accordance with professional standards. The CPAG’s six main components and control activities are consistent with policies and guidance from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget.

CPAG’s Six Primary Components

Image

The Cybersecurity Program Audit Guide's Six Primary Components - Asset and risk management; Configuration management; Identity and access management; Continuous monitoring and logging; Incident response; and Contingency planning and recovery

Current Cybersecurity Program Audit Guide

For more information on NIST guidance such as NIST Special Publications or the Cybersecurity Framework please visit:

NIST Computer Security Resource Center

Please note that CPAG’s components are consistent with NIST Special Publication 800-53, Revision 5.

GAO Contacts

For questions regarding the CPAG, please e-mail cpag@gao.gov.