NSA and CISA List Top Ten Cybersecurity Misconfigurations — October 5, 2023
NSA and CISA’s joint AA23-278A advisory demands board-level oversight to remediate the ten systemic misconfigurations undermining identity, logging, segmentation, and DSAR-ready evidence collection across critical infrastructure operators.
Executive briefing: On the U.S. National Security Agency and Cybersecurity and Infrastructure Security Agency released joint Cybersecurity Advisory AA23-278A, summarizing the top ten misconfigurations their red and blue teams continue to encounter during incident response operations across federal agencies, defense industrial base members, state and local governments, and critical infrastructure providers. The advisory emphasizes that misconfigurations—not novel exploits—are the dominant root cause of successful intrusions, exposing regulated personal data stores and obstructing dependable data subject access request (DSAR) fulfillment. Security and privacy leaders must respond with a multi-year governance program that connects board oversight, zero trust implementation, and verifiable rights-request evidence collection. CISA codified the advisory’s mitigations in the 2023 update to its Cross-Sector Cybersecurity Performance Goals, providing regulators and auditors with a checklist to benchmark configuration programs.
Governance imperatives and oversight structure
The advisory calls for immediate escalation to executive risk committees because the enumerated misconfigurations—default credentials, excessive administrative privileges, unsupported end-of-life systems, lack of network segmentation, poor account auditing, weak logging policies, insufficient vulnerability management, unfederated multifactor authentication (MFA) deployment, improperly configured security tools, and exposed services—map directly to obligations in the Federal Information Security Modernization Act (FISMA), NIST SP 800-53 Rev. 5, and sector-specific regulations such as NERC CIP, HIPAA Security Rule, and Gramm-Leach-Bliley Act (GLBA) Safeguards. Boards should commission quarterly reviews informed by CISA’s performance goals update and other sector mandates that examine configuration baselines, confirm the existence of named control owners, and verify how these owners support DSAR evidence retention. A governance charter should assign the chief information security officer (CISO) and chief privacy officer (CPO) joint accountability for establishing configuration management policies that preserve the integrity of event logs and access histories needed when responding to DSARs within statutory timelines.
Risk committees should embed AA23-278A in enterprise risk management (ERM) registers as a principal cyber hygiene risk. Include leading indicators such as percentage of privileged accounts enrolled in phishing-resistant MFA, coverage of centralized log collection relative to critical business processes, and number of unsupported assets discovered by configuration management databases (CMDBs). Reporting must bridge security status with privacy operations, demonstrating how logging completeness and identity governance preserve immutable records of data lineage, access, and erasure decisions for DSAR workflows mandated by GDPR, CCPA/CPRA, Virginia CDPA, and emerging state privacy laws.
Zero trust and configuration management program design
Implementation teams should apply a zero trust architecture lens to the advisory. Begin with an authoritative asset inventory, aligning with CISA’s Zero Trust Maturity Model and Office of Management and Budget (OMB) Memorandum M-22-09 requirements for federal agencies. Segment the program into three waves:
- Stabilization (0–90 days): Identify all accounts using default passwords or legacy authentication, enforce password rotations, and expand phishing-resistant MFA (e.g., FIDO2, PIV/CAC) coverage. Concurrently, re-baseline firewall and routing configurations to eliminate shadow remote access pathways enumerated in AA23-278A. Document residual exceptions with business justification and mitigation plans.
- Modernization (90–270 days): Deploy centralized configuration management and infrastructure-as-code (IaC) pipelines that encode secure baselines for Windows, Linux, network gear, and SaaS tenants. Integrate automated compliance scanning (e.g., SCAP, CIS-CAT, OpenSCAP) and extend logging to cover authentication events, privileged operations, and DSAR processing workflows. Establish federated identity governance with just-in-time access and role-based policies to counter excessive privilege accumulation.
- Optimization (270–540 days): Use continuous diagnostics and mitigation (CDM) tooling to sustain configuration drift detection, feed findings into security orchestration, automation, and response (SOAR) platforms, and align patch cadences with vendor criticality ratings. Conduct tabletop exercises simulating DSAR escalations during security incidents to validate that logging, ticketing, and privacy review checkpoints stay intact even when systems are in containment.
Each phase should define cross-functional workstreams pairing infrastructure, application, privacy, and legal teams to document how configuration fixes reinforce lawful processing of personal data. Ensure procurement policies require vendors and managed security service providers (MSSPs) to certify adherence to AA23-278A recommendations, especially for SaaS platforms hosting DSAR intake forms or case management tools.
DSAR readiness and evidence preservation
While AA23-278A focuses on cybersecurity misconfigurations, the guidance is equally consequential for DSAR operations. Logging deficiencies and default credentials jeopardize the integrity of audit trails used to confirm whether a controller holds personal data, how it has been processed, and whether erasure or restriction directives were honored. Privacy teams should collaborate with security engineering to map DSAR workflows—intake, identity verification, scoping, fulfillment, and closure—to specific log sources and configuration controls. For example, identity verification transcripts and secure file transfer records must be retained for the duration required by GDPR Article 5(2) accountability principles and state privacy statutes. Implement tamper-evident storage for DSAR tickets, integrate retention policies with legal hold procedures, and confirm that data discovery tools provide timestamped, access-controlled evidence when individuals challenge response completeness.
Controllers should document fallback DSAR processes for contingency operations. If incident responders must revoke default credentials or disable exposed services identified in AA23-278A, DSAR portals and self-service dashboards should automatically switch to resilient channels (e.g., dedicated call centers or notarized forms) with scripted communications explaining the security event. Privacy notices must reflect these contingencies while maintaining compliance with GDPR Articles 33 and 34 breach reporting obligations where personal data confidentiality is compromised.
Sector-specific considerations
Critical infrastructure operators in energy, healthcare, transportation, and finance must translate AA23-278A into sector guidance. Electric utilities can map misconfiguration findings to NERC CIP-010 configuration change management requirements, verifying that baseline deviations trigger change advisory board review and that DSAR repositories hosted on supervisory control and data acquisition (SCADA) historian systems have compensating controls. Healthcare entities governed by HIPAA should reconcile security rule implementation specifications, particularly 45 C.F.R. §164.312(b) audit controls, with DSAR workflows under the HIPAA Privacy Rule right of access. Financial institutions regulated by the Securities and Exchange Commission (SEC) or banking regulators must align identity governance controls with customer right-to-know statutes and anti-money-laundering recordkeeping, ensuring privileged access reviews include privacy officers.
For defense industrial base contractors subject to Cybersecurity Maturity Model Certification (CMMC) Level 2 or higher, AA23-278A offers evidence to satisfy practices such as AC.L2-3.1.2 (limit system access to authorized users) and AU.L2-3.3.1 (create, protect, and retain audit records). Documenting how these controls protect personal data related to employees, subcontractors, and DSAR applicants strengthens compliance positions during Defense Contract Management Agency (DCMA) assessments.
Testing, assurance, and continuous monitoring
Embed misconfiguration checks in ongoing assurance activities. Internal audit should schedule annual reviews that replicate NSA red team tactics, verifying that privilege escalation paths, exposed administrative interfaces, and inadequate segmentation have been closed. Penetration tests must include scenarios where attackers attempt to tamper with DSAR evidence stores or impersonate data subjects. Establish key risk indicators (KRIs) tied to AA23-278A—such as mean time to remediate unsupported software, proportion of systems with security information and event management (SIEM) coverage, and frequency of privileged access recertification—and report them to the board alongside DSAR fulfillment cycle times and complaint rates.
Continuous monitoring should combine endpoint detection and response (EDR), network detection and response (NDR), and cloud security posture management (CSPM) solutions. Configure alerting to flag default credential usage attempts, unauthorized configuration changes, and anomalies in DSAR case management systems. Integrate monitoring outputs with privacy operations dashboards so that DSAR leads receive immediate notice of potential evidence integrity issues.
Change management, training, and culture
Organizations should update secure configuration baselines, administrative handbooks, and DSAR standard operating procedures (SOPs) simultaneously. Provide targeted training modules for system administrators on password vaulting, privileged access workstation usage, secure log retention, and segmentation design. Privacy case managers need instruction on validating logs and system state information delivered by security teams during DSAR investigations. Reinforce a culture of joint accountability by recognizing cross-functional teams that meet remediation milestones and maintain zero unresolved DSAR complaints. Establish escalation hotlines where employees can report configuration drift or DSAR process breakdowns without fear of reprisal.
Roadmap for the next 12 months
Within the first month, complete a comprehensive misconfiguration assessment aligned to AA23-278A and present findings to the audit committee, including DSAR impact analysis. By six months, enforce configuration baselines across all internet-facing assets, demonstrate 100% phishing-resistant MFA adoption for privileged accounts, and provide documented evidence of DSAR fulfillment traceability. By the end of 12 months, integrate configuration management data with privacy compliance tooling, achieve independent validation of log integrity (through SOC 2, ISO/IEC 27001, or FedRAMP audits), and refresh business continuity plans to ensure DSAR obligations remain achievable during cybersecurity incidents.
AA23-278A distills years of adversary tradecraft into an actionable control checklist. Treating misconfigurations as an enterprise governance failure—not a tactical IT issue—empowers leadership to fund the zero trust, automation, and privacy documentation investments required to sustain compliant, resilient DSAR operations. Controllers that can prove configuration discipline and audit-ready evidence will respond faster to incidents, reduce breach notification exposure, and reinforce customer trust in the stewardship of personal data.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.