google-site-verification: googlee2afd007c6f112ac.html
top of page
Search

What Happens When CISA’s CPG Goal 2 Fails


"We didn't know that system was still connected.""We didn't know that vulnerability was exploitable.""We didn't know how the networks were actually configured."

Three statements executives never want to make. Three Fortune 500 companies that made them anyway. Three Congressional testimonies. Hundreds of millions in losses.

Monday's newsletter explained CISA's Goal 2 (Identify). Today: what happens when executives skip it, and your 90-day roadmap to make sure you're not the next case study.

PART 1: WHAT HAPPENS WHEN GOAL 2 FAILS

Case 1: The Unknown Asset (Target, 2013)

Goal 2 Failure: Asset Management (2.A) + Network Topology (2.E)

What Actually Happened

In November 2013, attackers compromised the credentials of Fazio Mechanical Services, a small HVAC contractor that Target had granted network access to monitor heating and cooling systems across their retail locations. The attackers used Fazio's legitimate credentials to enter Target's corporate network, then moved laterally from the HVAC management systems, which should have been isolated, into Target's point-of-sale network.

Over the course of three weeks during the peak holiday shopping season, the attackers installed malware on checkout terminals and stole 40 million credit and debit card numbers plus personal information for 70 million customers. The breach wasn't contained due to lack of visibility and decision authority. Target's FireEye security system actually detected the malicious activity and sent alerts, but executives and security staff failed to act on the warnings because they couldn't quickly determine which systems were compromised, what was at risk, or how the attacker had moved through their network. By the time Target confirmed the breach in mid-December, the damage was catastrophic.

The "We Didn't Know" Moment | Target executives couldn't answer:

  • "What vendor systems have network access to payment systems?"

  • "Why does an HVAC contractor need routes to POS infrastructure?"

  • "What other vendors have similar access we don't track?"

The Consequences

  • $18.5M settlement with 47 states

  • $202M total breach costs

  • CEO Resigned May 2014

  • CIO Resigned March 2014

  • Stock dropped 46% in 6 months

  • Board reputation damage lasted years

What Goal 2 Would Have Caught

2.A (Asset Management): Fazio's systems would have been in the inventory with documented business purpose, ownership, and access scope

2.E (Network Topology): Documentation would have shown HVAC systems shouldn't route to payment networks or at minimum shown they were connected

Executive question that would have prevented this: "Show me all third-party systems with access to our payment infrastructure" (If this takes more than 5 minutes to answer, you have a Goal 2 gap)

Case 2: The Known Vulnerability Nobody Patched (Equifax, 2017)

Goal 2 Failure: Vulnerability Mitigation (2.B) + Independent Validation (2.C)

What Actually Happened

On March 7, 2017, a critical vulnerability in Apache Struts (CVE-2017-5638) was publicly disclosed, affecting web applications worldwide. Two days later, on March 9, the U.S. CERT issued an emergency alert and Apache released a patch to fix the flaw. Equifax's security team received the notification and sent internal communications instructing IT teams to apply the patch to vulnerable systems. However, the patch was never applied to a consumer dispute portal that processed sensitive data.

On May 13, 2017 more than two months after the vulnerability became public knowledge and the fix became available. Attackers exploited this unpatched system and gained access to Equifax's network. Over the next 76 days, the attackers systematically extracted personal information for 147 million Americans, including Social Security numbers, birth dates, addresses, and driver's license numbers.

The breach went undetected until July 29, 2017, when Equifax finally discovered the intrusion. The company couldn't answer the most basic executive question: "Why wasn't a publicly known, critical vulnerability on an internet-facing system storing consumer data patched in the two months we had to fix it?"

The "We Didn't Know" Moment | Equifax executives couldn't answer:

  • "What critical systems are still running vulnerable Apache Struts?"

  • "Why wasn't this patched in the 2 months since disclosure?"

  • "Who is accountable for ensuring critical patches are applied?"

The Consequences

  • $1.4 billion total cost (settlement, remediation, legal)

  • CEO Resigned September 2017

  • CIO & CSO: Retired/resigned

  • Congressional testimony: "How did this happen?"

  • Stock dropped 35% initially

  • Equifax banned from certain government contracts

What Goal 2 Would Have Prevented

2.B (Vulnerability Mitigation): A time-to-patch SLA based on asset criticality would have created a non-negotiable 7-day window for patching critical vulnerabilities on internet-facing systems storing consumer data. More importantly, cybersecurity would have needed organizational authority, not just influence, to enforce that SLA.

At Equifax, security sent the patch notification but probably lacked the power to verify compliance or escalate when IT teams didn't act. Goal 2 requires executive accountability: if a critical patch isn't applied within the defined window, it automatically escalates to leadership with a documented risk acceptance decision. The security team shouldn't have to persuade IT or operations to patch. They should have the authority to mandate it.

2.C (Independent Validation): Quarterly independent scans would have caught the unpatched Apache Struts vulnerability months before attackers exploited it. This isn't about trusting that patches were applied. It's about proving they were applied. Independent validation gives the CISO evidence to present to executives: "We said it was patched, but verification shows it wasn't."

Executive question that would have prevented this: "Show me our patch compliance rate for critical vulnerabilities on Tier 1 assets over the last 90 days and confirm this data comes from independent validation, not self-reporting." If this data doesn't exist, you have a Goal 2 gap.

More critically: "Does our CISO have the authority to halt operations on systems with unpatched critical vulnerabilities, or can business units override security direction?" If cybersecurity can only recommend while business units can veto, then patching becomes optional. Attackers thrive in the gaps created by security-as-influence rather than security-as-authority.

Case 3: The "We Don't Know What's Connected" Shutdown (Colonial Pipeline, 2021)

Goal 2 Failure: Network Topology (2.E) + Asset Management (2.A)

What Actually Happened

On May 7, 2021, the DarkSide ransomware group infiltrated Colonial Pipeline's network through a compromised VPN credential that lacked multi-factor authentication. The ransomware encrypted Colonial's IT systems including billing, email, and corporate networks, but there was no evidence the operational technology (OT) systems controlling the actual pipeline had been compromised.

Colonial Pipeline, which supplies 45% of the fuel for the Eastern United States, faced a critical decision: could they safely continue operating the pipeline while containing the IT breach? The leadership team couldn't answer the question with confidence because they lacked up-to-date documented network topology showing the isolation boundaries between their IT and OT environments.

Unable to prove the operational systems were truly segmented from the infected corporate network, and fearing the ransomware could spread to pipeline control systems, executives made the only decision they felt was defensible: shut down all 5,500 miles of pipeline operations. The shutdown wasn't because the pipeline controls were compromised. It was because executives couldn't prove they weren't. The result was a six-day fuel shortage across the East Coast, panic buying, price spikes, and a national emergency declaration. The entire crisis stemmed from a visibility gap: executives couldn't confidently answer "what's connected to what?" in the middle of an active incident.

The "We Didn't Know" Moment | Colonial executives couldn't answer:

  • "Which operational systems are isolated from the IT breach?"

  • "Can we safely restart partial operations while containing the IT incident?"

  • "What's the blast radius if we bring system X back online?"

The Consequences

  • $5 million ransom paid (later partially recovered)

  • $3+ billion economic impact from shutdown

  • CEO Testifies in Congress

  • Mandatory TSA pipeline security directives issued

  • Reputation damage: "You shut down the East Coast because you didn't know your own network?"

What Goal 2 Would Have Enabled

2.E (Network Topology): Documented IT/OT segmentation showing which operational systems were isolated from breach

2.A (Asset Management): Critical asset dependencies mapped "Pipeline control system X depends on IT services Y and Z"

Executive decision that would have changed: Surgical isolation instead of full shutdown containment in hours, not days

Executive question that would have prevented 6-day shutdown: "Show me the network isolation between our IT billing systems and operational pipeline controls" (If this documentation doesn't exist, you can't make surgical containment decisions)

THE PATTERN: All Three Had "Security Programs" But Did They Have Security Authority

What these breaches share:

  • ✓ Security teams in place

  • ✓ Security budgets allocated

  • ✓ Compliance checkboxes completed

  • Executive visibility into what they actually owned, what was vulnerable, and how it connected

  • Security authority to enforce decisions when business priorities conflicted with risk

Target had FireEye intrusion detection. Equifax had vulnerability scanners. Colonial had incident response plans. All three had the technology to prevent or contain their breaches. What they more than likely didn't have were answers to the authority questions that Goal 2 forces into the open:


  • After security identified the risk, who had the authority to de-prioritize it? When Equifax's security team sent the patch notification, who decided it wasn't urgent enough to execute immediately? Was it a capacity issue, a misinterpretation of impact, or a business decision that security couldn't override?

  • Who owned the decision when operational priorities conflicted with security recommendations? When Target's FireEye alerts triggered, who had the authority to shut down payment systems during peak holiday shopping season? The security team could influence, but could they enforce?

  • Were security budgets sufficient, or were they constrained by leaders who didn't understand the risk? Did these organizations fund security at the level needed to maintain Goal 2 visibility, or were budgets minimized because executives lacked the context to understand what "insufficient asset inventory" actually costs?

  • Was risk formally accepted, or was it simply ignored? When Colonial Pipeline couldn't document IT/OT segmentation, did someone at the executive level explicitly accept the risk of "we won't be able to make surgical containment decisions during an incident" or did that gap exist because no one with authority knew to ask the question?

They all failed on visibility and authority (Goal 2), not on technology capability (Goal 3).

When boards and regulators asked "how did this happen?", the answer was always some version of: "We didn't know."

  • We didn't know the HVAC vendor could reach payment systems

  • We didn't know the Apache Struts patch wasn't applied

  • We didn't know whether operational systems were isolated from the IT breach

Goal 2 doesn't just create visibility. It forces the accountability structure that prevents "we didn't know" from happening in the first place. It answers: What do we own? What's vulnerable? How is it connected? And who has the authority to act on that knowledge when seconds matter?


Implementing Goal 2 puts you into the know and gives security the standing to act on what they know.


PART 2: YOUR 90-DAY ROADMAP TO AVOID BECOMING A CASE STUDY

You've seen what failure looks like. Here's how to prevent it.

This isn't a multi-year transformation program. This is a 90-day executive sprint to achieve baseline Goal 2 visibility.

MONTH 1: ASSET INVENTORY & OWNERSHIP (WEEKS 1-4)

Goal 2.A: Manage Organizational Assets

Week 1-2: Asset Inventory Kickoff

Executive Action: Mandate a living asset inventory with clear ownership fields

What to ask your IT/Security team in the kickoff meeting:

  1. "Show me our current asset inventory right now" (time this and if it takes more than 10 minutes, you're starting from scratch)

  2. "Which systems are NOT in this inventory?" (Shadow IT, cloud instances, vendor-managed devices, OT endpoints)

  3. "For each Tier 1 asset, who is the named owner accountable for its security?" (If the answer is "IT owns everything," you have an accountability gap)

What push back to expect and how to counter it:

Push back: "We have too many systems to inventory everything"Counter: "Start with Tier 1 crown jewels systems that, if compromised, create existential risk. We need 20-30 critical assets documented this month, not 5,000 systems documented next year."

Push back: "Our environment changes too fast to keep inventory current"Counter: "That's why we're making this a living process, not a one-time spreadsheet. Weekly updates for Tier 1, monthly for Tier 2. If we can track inventory in our supply chain, we can track IT assets."

Push back: "This will cost $X for new tools"Counter: "Show me what visibility we get from tools we already own first. Most organizations use 30% of their existing asset management capability."

Week 3-4: Define Asset Tiers and Ownership

Deliverable by end of Month 1:

Tier 1 (Crown Jewels): 20-30 assets documented with:

  • System name, business purpose, data classification

  • Named owner (not "IT team" a specific person with both the authority to make decisions about this asset AND accountability if it causes a breach. Not a scapegoat. An empowered decision-maker)

  • Network location, dependencies, vendor relationships

  • Last validated date

Success metric: "Pull up all systems that store customer PII" should take 2 minutes, not 2 days

Target case study reference: If Target had this, someone would have asked: "Why does an HVAC contractor's system appear in our payment network asset inventory?"

MONTH 2: VULNERABILITY TRIAGE & PATCHING (WEEKS 5-8)

Goal 2.B: Mitigate Known Vulnerabilities

Week 5-6: Establish Vulnerability SLAs by Asset Tier

Executive Action: Set a vulnerability "time-to-fix" expectation by criticality level

What to ask your team:

  1. "Show me all critical vulnerabilities on Tier 1 assets older than 30 days" (this reveals your current patch discipline)

  2. "What's blocking patches from being applied?" (change control bureaucracy? Testing delays? Vendor dependency?)

  3. "Who approves patch delays for business reasons?" (If anyone can delay without documented risk acceptance and cost-benefit analysis, patches become optional)

Define clear SLAs based on asset tier + vulnerability severity:

Tier 1 (Crown Jewels)

  • Critical vulnerabilities: 7 days

  • High vulnerabilities: 14 days

  • Medium vulnerabilities: 30 days

Tier 2 (Critical)

  • Critical vulnerabilities: 14 days

  • High vulnerabilities: 30 days

  • Medium vulnerabilities: 60 days

Tier 3 (Important)

  • Critical vulnerabilities: 30 days

  • High vulnerabilities: 60 days

  • Medium vulnerabilities: 90 days

Week 7-8: Force-Rank When "Everything Is Critical"

The problem you'll face: Security team says "we have 5,000 critical vulnerabilities"

How to handle prioritization:

  1. "Which vulnerabilities are actively being exploited in the wild right now?" (CISA KEV list)

  2. "Which vulnerabilities exist on internet-facing Tier 1 assets?" (external + critical = highest priority)

  3. "Which vulnerabilities have public exploits available?" (weaponized = higher urgency)


Deliverable by end of Month 2:

  • Patch management SLA policy signed by CEO/CISO

  • Process for escalating patch delays (requires executive approval + documented risk acceptance)

  • Dashboard showing patch compliance rate for Tier 1 assets


Success metric: 90%+ of critical vulnerabilities on Tier 1 assets patched within SLA

Equifax case study reference: If this process existed, the Apache Struts vulnerability would have triggered a 7-day countdown with CEO visibility if not patched


MONTH 3: INDEPENDENT VALIDATION & TOPOLOGY (WEEKS 9-12)

Goal 2.C: Independent Validation + Goal 2.E: Network Topology


Week 9-10: Scope Independent Validation

Executive Action: Fund independent validation where confidence matters most

What to validate first when budget is limited:


Priority 1 - Test what fails loudly and expensively:

  1. Backup restoration (most organizations discover backups don't work during an actual disaster)

  2. Access controls (can terminated employees still log in?)

  3. Network segmentation (can you actually isolate a breach, or is everything connected?)

  4. Incident detection (do your tools actually alert on attacks, or just generate noise?)


How to scope testing:

  • Don't try to validate everything

  • Pick 3-5 controls that, if they fail during a breach, create material damage

  • Budget for external penetration test OR internal validation team with authority to challenge


What to have your CISO ask vendors/internal teams:

  1. "I want you to prove our backups work. Restore a production database to a test environment this month"

  2. "I want you to prove network segmentation works. Show me you can't reach payment systems from the corporate network"

  3. "I want you to prove access controls work. Create a test 'terminated employee' account and verify it's disabled within 24 hours"


Week 11-12: Document Crown Jewel Topology

Executive Action: Prioritize topology documentation for crown-jewel systems


What to ask: "For each Tier 1 asset, I need to know: If this system is compromised, what can attackers reach from here?"


Deliverable by end of Month 3:

Network topology maps for top 10 Tier 1 assets showing:

  • What depends on this system (downstream impact)

  • What this system depends on (upstream dependencies)

  • Network isolation boundaries (can we contain a breach here?)

  • Emergency isolation procedure (who approves shutdown? What breaks?)


Success metric: "If system X is compromised, what do we shut down?" can be answered in 5 minutes with a diagram

Colonial Pipeline case study reference: If this existed, executives could have made surgical containment decisions instead of shutting down 5,500 miles of pipeline


THE 90-DAY EXECUTIVE CHECKPOINT

By Day 90, you should be able to answer these questions in under 5 minutes:

✓ "Show me all systems that store customer payment data" (2.A - Asset Management)

✓ "Show me all critical vulnerabilities on systems older than 30 days" (2.B - Vulnerability Mitigation)

✓ "Prove our backups actually restore" (2.C - Independent Validation)

✓ "If payment system X is compromised, what can attackers reach from there?" (2.E - Network Topology)

If any of these questions require meetings, spreadsheets, or "let me get back to you" Goal 2 is not met.


MONTH 4 AND BEYOND: SUSTAINING GOAL 2

Goal 2 isn't a one-time project. It's a discipline.

Quarterly Executive Reviews

  • Asset inventory updates (new systems, decommissioned systems, ownership changes)

  • Patch compliance trends (are we getting better or worse?)

  • Independent validation findings (what broke? What needs fixing?)

  • Topology updates (M&A, cloud migrations, vendor changes)

Annual Deep-Dives

  • Third-party penetration test

  • Full topology review for all Tier 1 assets

  • Vulnerability disclosure process review (Goal 2.D)

Goal 2.D: Establish Vulnerability Disclosure Process

Create a clear channel for security researchers, employees, and partners to report vulnerabilities:

  • Published email (security@yourcompany.com) or web form

  • Triage workflow: who receives reports, who validates, who fixes

  • Response SLA: acknowledge within 48 hours, triage within 7 days

  • Safe harbor language (legal protection for good-faith reporters)

Why this matters: Your vulnerabilities will be found. The question is whether you learn about them early (through disclosure) or late (through exploitation). This determines whether security issues reach you as a private heads-up (fixable before exploitation), a public blog post (embarrassing and reputation damaging), or an active exploit in the wild (expensive and potentially catastrophic).

THE EXECUTIVE BOTTOM LINE

From Monday's newsletter, you learned Goal 2's framework.

From Part 1 of this blog, you saw what happens when executives skip it: Congressional testimony, CEO resignations, hundreds of millions in losses.

From Part 2, you have your roadmap: 90 days to baseline visibility that prevents you from becoming the next case study.


The choice is binary:

  • Invest 90 days of discipline now (predictable, contained cost)

  • Explain to your board why "we didn't know" (unbounded, career-ending cost)

Don't let "we didn't know" be your Congressional testimony.

 
 
 

Comments

bottom of page