Security and Resilience (Cyber and Physical)

CISA Releases Cybersecurity Performance Goals for Critical Infrastructure

Like What You Are Reading?

Please take a few minutes to let us know what type of industry news and information is most meaningful to you, what topics you’re interested in, and how you prefer to access this information.

At the end of October, the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a set of voluntary goals outlining the highest priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect against cyber threats to critical infrastructure.

The Cybersecurity Performance Goals (CPGs) were developed by CISA with the DHS at the direction of a July 2021 memorandum on cybersecurity from the White House. DHS, in collaboration with sector risk management agencies, will next begin a process of writing sector specific voluntary goals utilizing the CPGs while they continue to promote these new cross sector cyber gaols.

Legislation passed in November 2018 created CISA within the Department of Homeland Security (DHS) to take the lead in cyber and physical infrastructure security. This did not change the Fixing America’s Surface Transportation Act (FAST Act) - signed into law in December 2015 – designation that the Department of Energy (DOE) specifically as the energy sectors sector risk management lead for cybersecurity. 

Over the past year, CISA developed the CPGs in partnership with organizations across government – including DOE - and the private sector through a process that incorporated feedback from hundreds of public and private sector partners and analyzed years of data to identify key challenges that put the nation at risk.  APPA appreciated the opportunity to participate in this process as well as to submit feedback much of which was incorporate in the final version.

The CPGs are designed to address concerns CISA heard from “organizations across the spectrum, from the largest multinational corporations to state and local governments, to critical infrastructure entities of all sizes: How can we focus investment toward to the most impactful security outcomes?” Jen Easterly, CISA’s director, said in the introduction to the CPG report.

The CPGs are intended to be implemented in concert with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It became clear, however, that even with comprehensive guidance from NIST, many organizations would benefit from help identifying and prioritizing the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk, Easterly said.

The newly delineated CPGs serve as “a kind of QuickStart guide” by prioritizing a “subset of Information Technology (IT) and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA said. The goals were “informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures observed by CISA and its government and industry partners,” the agency said.

Accompanying the goals is a CPG Checklist which can be a very handy starting point for smaller entities looking for a simple way to start working on the CPGs goals and utilizing the CPGs as a reference as needed for the checklist.

CISA stressed that the CPGs are a “baseline set of cybersecurity practices broadly applicable across critical infrastructure” and that they are voluntary and not comprehensive in that they “do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety.” The CPGs “capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors,” the agency said.

The goals are grouped eight topics: account security, device security, data security, governance and training, vulnerability management, supply chain/third party, response and recovery, and other.