NSA and CISA List Top Ten Cybersecurity Misconfigurations — October 5, 2023

Executive briefing: On 5 October 2023 NSA and CISA published joint Cybersecurity Advisory AA23-278A, cataloging the top ten misconfigurations observed during incident response engagements and security assessments.^AA23-278A The list underscores persistent weaknesses adversaries routinely exploit. CISA later embedded the same mitigations into its 2023 Cross-Sector Cybersecurity Performance Goals update, giving regulators a formal checklist to validate configuration programs.^{CPG 2.0}

Common pitfalls

• Default credentials and weak passwords. Many organizations still deploy systems with factory settings or fail to enforce complex password policies.
• Ineffective segmentation. Flat networks allow attackers to pivot from internet-facing assets into sensitive production environments.
• Insufficient logging and monitoring. Lack of centralized log collection and alerting delays detection of intrusions.

Recommended mitigations

• Implement phishing-resistant MFA for privileged and remote access accounts.
• Adopt network segmentation and application allowlisting to limit lateral movement and unauthorized execution.
• Centralize security telemetry with retention aligned to CISA’s Cross-Sector Cybersecurity Performance Goals.^{CPG 2.0}

Program alignment

• NIST CSF 2.0 PR.PS & DE.CM. Hardened identity and monitoring controls directly support core framework outcomes.
• Zero trust strategies. Eliminating default credentials and enforcing least privilege are foundational to agency and enterprise zero trust roadmaps.
• Regulatory inspections. Sectors under NERC CIP, TSA, and HIPAA oversight can use the advisory as an audit checklist for recurring assessments.