The Cybersecurity Program Audit Guide (CPAG) provides guidance to identify cybersecurity program weaknesses and develop appropriate recommendations for corrective actions. This guide is intended for Congress, federal agencies, state and local auditors, the private sector, and non-profits. The guide is to be used in conducting cybersecurity performance audits.
Developed with the help of federal officials as well as industry experts, this guidebook outlines the methodology for performing cybersecurity control audits in accordance with professional standards. The CPAG’s six main components and control activities are consistent with policies and guidance from the National Institute of Standards and Technology (NIST) and the Office of Management and Budget.