On October 27, 2022, the Cybersecurity & Infrastructure Security Agency (“CISA”), in partnership with the National Institute of Standards and Technology (“NIST”) and the interagency community, published the first iteration of its cross-sector Cybersecurity Performance Goals (“CPGs”). Drafted in response to President Joe Biden’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, the CPGs are voluntary measures that organizations within the critical infrastructure sectors can implement to kickstart their cybersecurity efforts, and according to CISA, will be regularly updated at least every six to twelve months.
The CPGs, which CISA has described as a “minimum set of practices,” are sorted into eight categories: Account Security, Device Security, Data Security, Governance and Training, Vulnerability Management, Supply Chain/Third Party, Response and Recovery, and Other. CISA has positioned these CPGs as a “floor, not a ceiling,” for cybersecurity protections that organizations should implement. Each goal includes information such as the ultimate security outcome that the CPG is striving to enable, recommended actions to achieve that outcome, and the specific risks that the goal is attempting to counteract. Additionally, every CPG is related to a subcategory of the NIST Cybersecurity Framework (“CSF”), a previously-existing cybersecurity framework first published in 2018. CISA has suggested that the CSF should continue to be used in conjunction with the CPGs; however the CPGs do not fully address each CSF subcategory. Organizations that have already adopted and implemented the CSF will not need to perform additional work to implement the CPGs.
An overview of the CPGs in each category is as follows:
The Account Security section of the CPG list focuses on strengthening the security of log-in credentials. It encourages best practices such as enabling multi-factor authentication, creating a process to revoke credentials of departing employees, creating unique user credentials, separating user and privileged accounts, and requiring passwords that meet specific minimum standards.
The Device Security CPGs recommend that organizations inventory and monitor the hardware and software used by their employees, maintain accurate documentation describing the configuration details of all critical information technology and operational technology (“OT”) assets, and disable macros in Microsoft Office applications by default.
The Data Security CPGs focus on keeping sensitive data safe from unauthorized users and cyberattacks, as well as collecting and protecting security logs for detecting and responding to security incidents. These goals include implementation of effective encryption techniques for maintaining the confidentiality and integrity of sensitive data.
Governance and Training
The Governance and Training CPGs describe cybersecurity personnel leadership structures that organizations should implement as part of their cybersecurity program. CISA recommends appointing a single leader to be responsible for overall cybersecurity and a single leader to be responsible for OT specific cybersecurity, for organizations with OT assets.
Under Governance and Training, CISA also recommends annual cybersecurity training for all organizational employees and contractors, and specialized OT-focused cybersecurity training for personnel responsible for maintaining or securing OT.
CISA already maintains an online directory of Known Exploited Vulnerabilities (“KEV”) in internet-facing systems. Along with ensuring that all KEVs are patched or otherwise mitigated within a risk-informed span of time, the Vulnerability Management CPGs encourage organizations to create channels that would allow researchers to easily disclose discovered weaknesses, avoid hosting OT assets on public internet networks, and engage third parties with IT and/or OT cybersecurity experience to validate the organization’s cybersecurity defenses.
Supply Chain / Third Party
The Supply Chain/Third Party CPGs focus on the ways that organizations can reduce their cybersecurity risks by being mindful about the suppliers from whom the organization purchases its products and services and staying abreast of known weakness, breaches, and vulnerabilities that affect its vendors and services providers. These CPGs include bolstering procurement agreements to include cybersecurity requirements and security incident notification obligations.
Response and Recovery
The Response and Recovery CPGs focus on how organizations should respond in the face of a cybersecurity incident. Organizations should know to whom they should report cybersecurity incidents, maintain and practice cybersecurity incident response plans, regularly back-up important data, and conduct periodic reviews and updates of IT and OT networks.
The CPGs in the Other category focus on implementing email security tools, segmenting OT and IT networks, and detecting security threats in organizations’ environments.
To help organizations implement the CPG framework, CISA also published a checklist “to be used in tandem with the CPGs to help prioritize and track [the] organization’s implementation,” and created a GitHub discussion webpage, which is a forum “to discuss and collaborate on community-proposed additions, changes, and other considerations for future versions of the CPGs.”
These guidelines are based on security frameworks that have been in place for years (NIST 800.53, ISO 27002, etc.) and are squarely intended for those companies for whom these existing frameworks have been a challenge to operationalize. It brings a number of critical security controls to a “plain English” level that hopefully less sophisticated organizations can use as guidance for building their security controls. Since these CPGs are not backed with the support of legislation amid industry pushback, they are completely voluntary, so it is currently unclear how comprehensively they will be adopted. However, moving forward, CISA plans to develop sector-specific goals, and will work with each Sector Risk Management Agency to develop those objectives.