Cybersecurity Program Audit Guide | U.S. GAO

Lapse in Appropriations

Please note that a lapse in appropriations has caused GAO to shut down its operations. Therefore, GAO will not be able to publish reports or otherwise update this website until GAO resumes operations. In addition, the vast majority of GAO personnel are not permitted to work. Consequently, calls or emails to agency personnel may not be returned until GAO resumes operations. For details on how the bid protest process will be handled during the shutdown, please see the legal decisions page. For information related to the GAO Personnel Appeals Board (PAB), please see the PAB webpage.

Overview

The Cybersecurity Program Audit Guide (CPAG) provides guidance to identify cybersecurity program weaknesses and develop appropriate recommendations for corrective actions. This guide is intended for Congress, federal agencies, state and local auditors, the private sector, and non-profits. The guide is to be used in conducting cybersecurity performance audits.

Developed with the help of federal officials as well as industry experts, this guidebook outlines the methodology for performing cybersecurity control audits in accordance with professional standards. The CPAG’s six main components and control activities are consistent with policies and guidance from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget.

CPAG’s Six Primary Components

The Cybersecurity Program Audit Guide's Six Primary Components - Asset and risk management; Configuration management; Identity and access management; Continuous monitoring and logging; Incident response; and Contingency planning and recovery

Current Cybersecurity Program Audit Guide

For more information on NIST guidance such as NIST Special Publications or the Cybersecurity Framework please visit:

NIST Computer Security Resource Center

Please note that CPAG’s components are consistent with NIST Special Publication 800-53, Revision 5.

Resources

yellowbook coverpage

The Yellow Book

Generally Accepted Government Auditing Standards (GAGAS), also known as the Yellow Book, provides the preeminent standards for government auditing.

The Green Book icon.

The Green Book

Standards for Internal Control in the Federal Government, known as the "Green Book," sets the standards for an effective internal control system for federal agencies.

An Info. System Audit Manual icon.

Federal Information System Controls Audit Manual (FISCAM)

FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards.

Financial Audit Manual

Financial Audit Manual

The Financial Audit Manual (FAM) presents a methodology for performing financial statement audits of federal entities in accordance with professional standards.

A photo of GAO headquarters in Washington DC. The sign in the photo reads "Government Accountability Office."

Assessing Data Reliability

We published this guide to help auditors assess the reliability of data. It provides a risk-based framework for data reliability assessments that can be geared to the specific circumstances of each engagement.

keyboard lock; Source: weerapat1003\stock.adobe.com.

Featured Topic: Cybersecurity

An overview of cyber challenges facing the nation, and actions needed to address them.

GAO Contacts

For questions regarding the CPAG, please e-mail cpag@gao.gov.

Multimedia

Finding Federal Cybersecurity Weaknesses: GAO Issues New Cybersecurity Guide

Thursday, September 28, 2023

WASHINGTON, D.C (September 28, 2023) – As the risks to IT systems supporting the federal government and the nation’s critical infrastructure increase and security threats continue to evolve, the U.S...