CISA CPGs reorganized, reordered, renumbered to align with NIST CSF functions, following industry feedback

CISA CPGs reorganized, reordered, renumbered to align with NIST CSF functions, following industry feedback

Less than six months after its initial release, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Tuesday stakeholder-based updates to the Cybersecurity Performance Goals (CPGs). In response to feedback received directly from the critical infrastructure community, these CPGs have been reorganized, reordered, and renumbered to align closely with NIST Cybersecurity Framework functions to help organizations use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF.

Jen Easterly, CISA director said in the March 2023 update of the CPGs version 1.0.1 that the agency heard “the global Operational Technology and Industrial Control Systems (OT/ICS) community clamor to be seen and recognized alongside traditional IT security and supported in their essential role of defending our increasingly connected electric grids, hospitals, water facilities, and other critical infrastructure.”

She added that it became clear that even with comprehensive guidance from sources like the NIST CSF, many organizations would benefit from help identifying and prioritizing the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk. 

The CPGs “strive to address this need by providing an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks,” Easterly wrote. “The CPGs are written and designed to be easy to understand and relatively easy to communicate with non-technical audiences, including senior business leadership. Informed by extensive input from experts across sectors, public and private, domestic and international, the CPGs reflect some of the best thinking gleaned from across the cybersecurity community.” 

As in all things, “we look forward to continuous feedback on them so we can regularly refresh these goals based on the constantly evolving technology and threat landscapes. Ultimately, our hope is that the CPGs will not only serve as a strong foundation for improving cybersecurity across our nation’s critical infrastructure sectors but also as a baseline of security outcomes that merit the trust of the American people,” Easterly added.

After CISA published the first CPG report in October, the agency received feedback from multiple sectors asking for more streamlined mapping to the NIST CSF. In response, CISA has reorganized the CPGs to align with NIST CSF functions (Identify, Protect, Detect, Respond, and Recover). Also, it noted that some objectives translate to several functions and that implementing a specific CPG does not guarantee that the NIST CSF subcategory to which it refers has been fully satisfied.

The March 2023 update, version 1.0.1, reorders and renumbers the CPGs to align closely with NIST CSF functions. Accompanying documents, the Checklist and Matrix, have been adjusted accordingly. Mappings from the original numbering are reflected in the Matrix for users who may be familiar with the original publication. Additionally, the MFA (multi-factor authentication) goal has been updated to reflect the most recently published CISA guidance regarding phishing-resistant MFA and the considerations for prioritizing implementation.

CISA has also added a goal based on GitHub feedback to aid in organizations’ recovery planning. Finally, slight modifications have been made to the glossary to reflect the minor content changes, and an acknowledgment section to thank additional stakeholders who contributed to the current and previous versions.

The CPGs will be regularly updated, with a targeted revision cycle of at least every six to 12 months. Also, a Discussions page has been set up to receive feedback and ideas for new CPGs. 

The CPGs are a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These goals are applicable across all critical infrastructure sectors and are informed by the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners, making them a common set of protections that all critical infrastructure entities — from large to small — should implement. 

The CPGs do not reflect an all-encompassing cybersecurity program – rather, they are a minimum set of practices that organizations should implement and aim to help critical infrastructure entities, particularly small and medium organizations, get started on their path toward a strong cybersecurity posture. As such, the CPGs are intended to be a floor, not a ceiling, for what cybersecurity protections organizations should implement to reduce their cyber risk. 

The benchmarks are not comprehensive, as they do not identify all the cybersecurity practices needed to protect every organization or fully safeguard national and economic security and public health and safety against all potential risks. They represent a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors and will be followed by sector-specific goals that dive deeper into the unique constraints, threats, and maturity of each sector where applicable.

The CPGs are intended to be voluntarily adopted by organizations to enable the prioritization of security investments toward the most critical outcomes, in conjunction with broader frameworks like the NIST CSF. The practices in the CPGs apply to all critical infrastructure organizations and are not tiered into ‘maturity’ categories. 

Based on stakeholder feedback, the CPGs can be leveraged by organizations as part of a broader cybersecurity program based on the NIST CSF or other frameworks and standards. The CPGs can help organizations that may lack the cybersecurity experience, resources, or structure in place to identify and implement basic cybersecurity practices. After or in parallel with applying the CPGs, organizations can continue to leverage the NIST CSF to build a holistic risk management program and implement additional NIST controls. 

These CPGs contain a user-friendly worksheet for asset owners and operators to review and prioritize which CPGs to implement, track the current and future state of CPG implementation, and communicate the priorities, trade-offs, and statuses of the CPGs to other stakeholders, such as non-technical executives. The worksheet includes general estimates of the cost, complexity, and impact of implementing each goal. Also, these estimates are intended to be used as an aid to help inform investment strategy to address known gaps in baseline cybersecurity capability. 

The worksheet can help organizations with smaller or less mature cybersecurity programs prioritize which protections to implement, and communicate the importance and relative impact and cost of those protections to (non-technical) executives.

Addressing the NIST CSF Mappings, CISA said that every security practice in the CPGs aligns and is mapped to a corresponding subcategory in the NIST CSF. “For each security practice, identification of the CSFsubcategory indicates a relationship between the CPG and the NIST CSF. Organizations that have already adopted and implemented the NIST CSF will not need to perform additional work to implement the relevant CPGs.”

On Monday, the CISA appointed additional members to the CISA Cybersecurity Advisory Committee (CSAC) to bring on board additional experts from the public and private sectors. These professionals will advise the director on policies and initiatives to enhance the nation’s cyber defense.

The new CSAC members include Dave DeWalt, CEO and founder at NightDragon; Brian Gragnolati, president and CEO at Atlantic Health System; Royal Hansen, vice president of privacy, safety and security engineering at Google; Chris Inglis, former U.S. National Cyber Director; Rahul Jalali, senior vice president and chief information officer at Union Pacific, John Katko, former Representative for New York’s 24th District; and Jim Langevin, former Representative for Rhode Island’s 2nd District. 

Other members also include Cathy Lanier, senior vice president and chief security officer at the National Football League; Doug Levin, co-founder and national director at K12 Security Information eXchange (SIX); Ciaran Martin, former CEO at the U.K.’s National Cyber Security Centre; Robert Scott, commissioner at New Hampshire Department of Environmental Services; Kevin Tierney, vice president and chief cybersecurity officer at General Motors; and Alex Tosheff, VMware’s senior vice president and chief security officer. 

Easterly said that these executives were chosen for their deep expertise in critical infrastructure, cybersecurity, and governance. Also, these members will add new perspectives to the CSAC’s work, particularly given this year’s additional focus on corporate cyber responsibility, technology product safety, and efforts to raise the cyber hygiene baseline of ‘target rich-cyber poor’ entities like hospitals, K-12 school districts, and water utilities.

Industry feedback has played a role in rule-making across the critical infrastructure sector. In December, the U.S. Department of Homeland Security (DHS) through its Transportation Security Administration (TSA) division sought feedback on improving surface cyber risk management across transportation systems. Earlier, in November, the National Cybersecurity Center of Excellence (NCCoE) published a draft project description seeking feedback from all stakeholders in the water and wastewater utilities sector.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Webinar: State of Zero Trust in the Industrial Enterprise

Register: April 10, 2024, at 8am PDT | 11am CDT | 5pm CEST

Related