CISA Publishes Voluntary Cybersecurity Performance Goals for Critical Infrastructure Organizations

By | October 31, 2022

A set of cross-sector Cybersecurity Performance Goals (CPGs) have been published by the Cybersecurity and Infrastructure Security Agency (CISA) for critical infrastructure organizations to adopt to achieve a minimum cybersecurity standard and better protect their networks and systems from attacks that threaten their ability to operate.

In response to the May 2021 ransomware attacks on the oil pipeline system operator, Colonial Pipeline, and the food processing firm JBS, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity. As part of that initiative, President Biden signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems on July 28, 2021, which called for CISA to publish a baseline set of CPGs with the aim of improving the cybersecurity of all critical infrastructure in the United States on which Americans depend.

According to CISA, the CPGs are “a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.” The CPGs were developed from existing cybersecurity frameworks and guidance, and in response to real-world threats and the tactics techniques, and procedures that CISA and its partners have observed nation-state and cybercriminal hacking groups using. CISA Director Jen Easterly said the CPGs were “informed by extensive input from experts across sectors, public and private, domestic and international, the CPGs reflect some of the best thinking gleaned from across the cybersecurity community.”

In the United States, the majority of critical infrastructure is owned and maintained by the private sector, which is resistant to cybersecurity regulation. Consequently, it is not mandatory for the CPGs to be adopted by critical infrastructure owners and operators. Compliance is voluntary, although strongly recommended.

The CPGs are unique from other control frameworks, as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation. They are intended to help critical infrastructure organizations, especially small- and medium-sized organizations, accelerate their cybersecurity plans and rapidly improve resilience to cyberattacks. The CPGs are not a comprehensive set of practices for developing an effective cybersecurity program. They are a set of prioritized security practices that have proven risk-reduction value, which can be implemented by all critical infrastructure organizations to address the most pressing risks and vulnerabilities that are known to be exploited by malicious actors.

The CPGs cover account security, device security, data security, governance and training, vulnerability management, supply chain and third-party risk management, and response and recovery, and have been written to be easy to understand and communicate to non-technical audiences, including senior business leadership.

The best practices include important cybersecurity measures such as credential management, password management, asset inventories, disabling macros, security log collection and monitoring, data encryption, multifactor authentication, and basic and OT cybersecurity training.

The Biden Administration has stressed that the CPGs are voluntary and there are no reporting requirements. You can view the CPGs here (PDF).

The post CISA Publishes Voluntary Cybersecurity Performance Goals for Critical Infrastructure Organizations appeared first on HIPAA Journal.