Summary: CISA in cooperation with NIST and the interagency community released baseline Cybersecurity Cross-Sector Performance Goals which are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.  

Background and motivation

Unfortunately, it is no secret that the critical infrastructure sector in the United States does not implement enough levels of basic cybersecurity standards. There is no theoretical or philosophical basis for this worry. U.S. citizens have felt the effects of these lapses firsthand, whether it is ransomware attacks on hospitals or school districts or sophisticated nation-state operations on government institutions and essential infrastructure. The national security, economic security, and health and safety of the American people are all at stake as a result of these invasions.

“We have heard a common refrain from organizations across the spectrum, from the largest multinational corporations to state and local governments, to critical infrastructure entities of all sizes: How can we focus investment toward the most impactful security outcomes?” notes Jen Easterly, CISA Director.

“It became clear that even with comprehensive guidance from sources like the NIST Cybersecurity Framework, many organizations would benefit from help identifying and prioritizing the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk,” Easterly explains.

In response to these concerns, President Biden signed in July 2021 the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with NIST and the interagency community, to develop baseline cybersecurity goals that are consistent across all critical infrastructure sectors.

What are the Cross-Sector Cybersecurity Performance Goals?

The Cross-Sector Cybersecurity Performance Goals (CPGs) are a prioritized subset of cybersecurity practices for operational technology (OT) and information technology (IT) that owners and operators of critical infrastructure can use to significantly lower the likelihood and impact of known risks and adversary tactics. The objectives were influenced by current cybersecurity frameworks and recommendations as well as the threats and adversary tactics, methods, and procedures (TTPs) that CISA and its government and business partners had to deal with in the real world.

According to the CISA CPG website, the document is intended to be:

  • A baseline set of cybersecurity practices broadly applicable across the critical infrastructure with known risk-reduction value.
  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
  • A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
  • Unique from other control frameworks as they consider not only the practices that address the risk to individual entities, but also the aggregate risk to the nation.

The CPGs are intended to supplement the NIST Cybersecurity Framework (CSF) for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers.

In addition, CISA clarifies that the CPGs are:

  • Voluntary: Critical infrastructure owners and operators are not compelled to adopt the CPGs or provide any reporting regarding or related to the CPGs to any government agency.
  • Not Comprehensive. They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.

Which areas do the CPGs cover?

The CPGs cover the following eight cybersecurity areas:

  1. Account Security, focusing on access management and credential lifecycle best practices, including (of course) multi-factor authentication.
  2. Device Security, looking at asset management, documented device configuration, a hardware and software approval process, and more.
  3. Data Security, where data encryption and safeguarding sensitive data play a key role.
  4. Governance and Training, which covers leadership, roles, and responsibilities, and raising awareness through recurrent training.
  5. Vulnerability Management, which includes an extensive list of actions from mitigating known vulnerabilities to limiting connections of OT to the internet to using security.txt files.
  6. Supply Chain/Third Party, to include vulnerability disclosure and incident, but surprisingly not SBOM.
  7. Response and Recovery, focusing on incident response plans and backups.
  8. Other, which includes network segmentation and email security.

Interestingly, the CPGs move beyond traditional security measures to also highlight the importance of building relationships among team members. For example, item 4.5 (under Governance and Training) mentions “Organizations sponsor at least one ‘pizza party’ or equivalent social gathering per year that is focused on strengthening working relationships between IT and OT security personnel and is not a working event (such as providing meals during an incident response).”

What sets the CPGs apart from other benchmarks is that these goals were selected to address risks to the nation as well as individual entities. The CPGs can be leveraged by organizations as part of a broader cybersecurity program based on the NIST CSF or other frameworks and standards. The CPGs can help organizations that may lack the cybersecurity experience, resources, or structure in place to quickly identify and implement basic cybersecurity practices. The CPGs contain a worksheet that can help organizations with smaller or less mature cybersecurity programs prioritize which protections to implement, and communicate the importance and relative impact and cost of those protections to (non-technical) executives.

Overall, the CISA CPGs are a great start and a great baseline for every critical infrastructure business to implement. Want to discuss this topic with one of our experts? Please visit our Contact Us page to request more information or connect with a Subject Matter Expert (SME).