The Cybersecurity and Infrastructure Security Agency (CISA) today unveiled its long-anticipated cybersecurity performance goals (CPG) to help critical infrastructure owners and operators prioritize and set a foundation for key security measures.
The CPGs – applicable across the 16 critical infrastructure sectors already designated by the Department of Homeland Security (DHS) – features a list of information technology and operational technology cybersecurity practices that critical infrastructure owners and operators can implement to reduce the likelihood and impact of known risks and adversary techniques.
CISA explained that the goals are “voluntary,” and “do not identify all the cybersecurity practices needed” to protect critical infrastructure.
The new goals, said CISA Deputy Director Nitin Natarajan, are “not designed to replace the NIST [National Institute of Standards and Technology] cybersecurity framework but in fact designed to work with the NIST cybersecurity framework.”
“We’re really excited about getting this product out,” said Natarajan, who talked about the new cyber guidance release today at MeriTalk’s Cyber Central – Security by Design conference in Washington, D.C.
“We want to really drive adoption of the most impactful security measures for baseline security” and generate “basic fundamental acceptance within their organizations to drive change,” he said.
The critical infrastructure guidelines “capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors,” CISA stated in a release announcing the goals.
CISA’s publication of the goals flows from a White House memorandum signed by President Biden in April 2021.
The memo – entitled National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems – directs CISA to work with the National Institute of Standards and Technology (NIST) and the interagency community to develop baseline cybersecurity performance goals consistent across all critical infrastructure sectors.
The goals establish a standard set of fundamental cybersecurity practices for critical infrastructure. In addition, the CPGs aim to help small to medium-sized organizations kickstart their cybersecurity efforts. CISA said it used existing cybersecurity guidance and the agency’s knowledge of current cyber risks and adversary tactics to develop the goals.
Elaborating on how to use the new cyber goals in conjunction with the NIST cybersecurity Framework (CSF), CISA, the agency explained that while the CPGs are mapped to corresponding subcategories in the NIST framework, CISA still recommends that organizations use the NIST framework to design and mature a comprehensive cybersecurity program.
Moving forward, CISA plans to develop sector-specific goals, and will work with each Sector Risk Management Agency to develop those objectives.
Natarajan said at today’s MeriTalk conference that the new goals “are really looking at high impact” practices across organizations large and small, and across the public and private sectors.
He said the goals focus on “steps that you can take to help raise your cyber defenses, to help raise your efforts in cybersecurity,” and that CISA is “really looking at these to be the minimum baseline of cyber protections that will reduce the risk of critical infrastructure operators.”
“At the end of the day, by doing that we’re also impacting national security and the health and safety of Americans throughout the nation,” the CISA official said.
Natarajan said the goals were developed through extensive collaboration with academia and the security research community “based on widely published research of the threat landscape in collaboration with government and industry groups, private sector experts to drive the solutions that we’re coming up with.”
“It’s the first U.S. government effort to provide stakeholders with recommended best practices and measurable actions to achieve that basic level of cybersecurity across both IT and OT systems,” he said.
“CISA’s new cybersecurity performance goals for critical infrastructure sectors are pretty basic – and that’s a good thing,” Gary Barlet, Federal Chief Technology Officer at Illumio, told MeriTalk today.
“Cybersecurity is innovating faster than ever, but organizations are often impacted by the most rudimentary of threats,” he said, adding, “improving cyber hygiene can’t happen unless the fundamentals are in place.”
“The key takeaway of CISA’s goals isn’t that they are basic, but rather that they are easy to implement across a broad spectrum of organizations,” Barlet said. “Right now, too many organizations, public and private, don’t have their ‘cyber ABCs’ down. This is especially true of SMBs and entities that don’t typically have the resources to adopt cyber tools, however these are some of the organizations who can benefit most from these goals.”
“Securing the nation’s critical infrastructure is a big task that involves taking small yet meaningful steps, such as implementing segmentation, which prevents initial breaches (inevitable in today’s day and age) from escalating into bigger disasters,” he said.
“I applaud CISA for putting these goals together and encourage all agencies and corporations to grade themselves against it,” Barlet said. “This will help us reduce risk across critical infrastructure. The challenge is that in order for this framework to be successful, organizations need to be honest with themselves about how well they’re doing on these objectives.”