Cybersecurity Program Audit Guide
Components
Overview
The Cybersecurity Program Audit Guide (CPAG) provides guidance to identify cybersecurity program weaknesses and develop appropriate recommendations for corrective actions. This guide is intended for Congress, federal agencies, state and local auditors, the private sector, and non-profits. The guide is to be used in conducting cybersecurity performance audits.
Developed with the help of federal officials as well as industry experts, this guidebook outlines the methodology for performing cybersecurity control audits in accordance with professional standards. The CPAG’s six main components and control activities are consistent with policies and guidance from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget.
CPAG’s Six Primary Components
Current Cybersecurity Program Audit Guide
For more information on NIST guidance such as NIST Special Publications or the Cybersecurity Framework please visit:
NIST Computer Security Resource Center
Please note that CPAG’s components are consistent with NIST Special Publication 800-53, Revision 5.
GAO Contacts
For questions regarding the CPAG, please e-mail cpag@gao.gov.