The Cybersecurity and Infrastructure Security Agency published updated guidance for small and medium businesses in early 2025, reflecting the significant shift in the threat landscape since their previous SMB-focused recommendations. Several of the changes have direct operational implications for how small businesses should approach their security programs.
The key updates
MFA is now treated as a baseline, not a best practice
Previous CISA guidance positioned MFA as a recommended control. The 2025 guidance treats it as a foundational requirement, with specific callouts for email, remote access, and administrative accounts. CISA now explicitly recommends phishing-resistant MFA (hardware keys or passkeys) for privileged accounts, distinguishing it from TOTP-based authentication that can be bypassed via real-time phishing proxies.
Software inventory requirements tightened
CISA’s updated guidance places significant emphasis on software bill of materials (SBOM) awareness and third-party software risk. For SMBs, the practical implication is maintaining an accurate inventory of all software running in your environment and establishing a process for monitoring CVEs against that inventory. This matters for cyber insurance qualification as much as it does for security posture.
Incident response planning is explicitly required
The updated guidance moves incident response from “recommended” to “expected” for any organization handling sensitive data or operating critical business systems. CISA published a simplified IRP template for SMBs as part of the guidance release — a meaningful acknowledgment that small businesses need practical frameworks, not enterprise playbooks.
What this means for cyber insurance
Insurance underwriters track CISA guidance closely. Controls that CISA classifies as baseline requirements tend to appear on insurance applications within 12–18 months. MFA, endpoint protection, and backup verification are already standard questions. Expect software inventory and incident response planning to follow.
Businesses that implement these controls proactively see better coverage terms and lower premiums — not just better security outcomes.
Practical next steps
- Download CISA’s updated SMB cybersecurity guide and assess your current controls against their checklist
- If you don’t have phishing-resistant MFA on administrative accounts, that’s priority one
- Document your software inventory — even a spreadsheet is a better starting point than nothing
- If you don’t have a written incident response plan, CISA’s template is a legitimate place to start
Need help assessing where your organization stands against the new guidance? ARC offers free security posture assessments for businesses evaluating their current controls.
Leave a Reply