CISA rolls out cross-sector cybersecurity performance goals for critical infrastructure, sets benchmark standards

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released voluntary and not comprehensive cross-sector cybersecurity performance goals (CPGs) to help establish a standard set of fundamental cybersecurity practices for the critical infrastructure sector. These benchmark goals will benefit small and medium-sized organizations as they kick-start their cybersecurity efforts. In addition, as they are measurable, organizations across the size and maturity spectrum will definitively understand what actions to take and how to self-assess progress toward meeting the goals.

The cybersecurity performance goals provide a baseline set of cybersecurity practices broadly applicable across the critical infrastructure with known risk-reduction value, with a benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity. It also intends to combine recommended practices for IT and OT (operational technology) owners, including a prioritized set of security practices. Furthermore, these goals are unique from other control frameworks as they consider the practices that address the risk to individual entities, apart from the aggregate risk to the nation.

The cybersecurity performance goals cover account security, device security, data security, governance and training, vulnerability management, supply chain/ third party, response and recovery, and other parameters such as network segmentation, detecting relevant threats and tactics, techniques, and procedures (TTPs), and email security. 

“We hear organizations with mature cyber programs ask what more they can do to prevent attacks from advanced adversaries, manage risks to less mature organizations in their supply chain, and help reduce broader risk to the nation,” Jen Easterly, CISA director, wrote in the agency’s cybersecurity performance goals 28-page report. “We hear the global Operational Technology and Industrial Control Systems (OT/ICS) community clamor to be seen and recognized alongside traditional IT security and supported in their essential role of defending our increasingly connected electric grids, hospitals, water facilities, and other critical infrastructure.”

Easterly adds that it became clear that even with comprehensive guidance from sources like the National Institute of Standards and Technology (NIST) Cybersecurity Framework, many organizations would benefit from help identifying and prioritizing the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk. “Ultimately, prioritized investment will help meaningfully address serious risks to the safety, health, and livelihoods of the American people,” she wrote.

Last July, U.S. President ​​Joe Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The memorandum had required CISA, in coordination with the NIST and the interagency community, to develop baseline cybersecurity performance goals consistent across critical infrastructure sectors. The cybersecurity performance goals were developed by the Department of Homeland Security, through the CISA, at the direction of the White House.

“Organizations across the country increasingly understand that cybersecurity risk is not only a fundamental business challenge but also presents a threat to our national security and economic prosperity,” Alejandro N. Mayorkas, secretary of Homeland Security, wrote in a statement. “The new Cybersecurity Performance Goals will help organizations decide how to leverage their cybersecurity investments with confidence that the measures they take will make a material impact on protecting their business and safeguarding our country.”

“The Biden-Harris Administration has relentlessly focused on securing our Nation’s critical infrastructure since day one,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said. “CISA has demonstrated tremendous leadership in strengthening our critical infrastructure’s cyber resilience over the last year. The Cyber Performance Goals build on these efforts by setting a higher cybersecurity standard for sectors to meet.” 

“Given the myriad serious cybersecurity risks our nation faces, NIST looks forward to continuing to work with industry and government organizations to help them achieve these performance goals,” Laurie E. Locascio, under secretary of Commerce for Standards and Technology and NIST director, said. “Our priority remains bringing together the right stakeholders to further develop standards, guidelines, and practices to help manage and reduce cybersecurity risk.”

These cybersecurity performance goals supplement the NIST Cybersecurity Framework (CSF) seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers.    

The cybersecurity performance goals are a prioritized subset of IT and OT cybersecurity practices that critical infrastructure owners and operators can implement to reduce the likelihood and impact of known risks and adversary techniques. These goals are applicable across critical infrastructure sectors and are informed by the most common and impactful threats and adversary TTPs observed by CISA and its government and industry partners, making them a common set of protections that critical infrastructure entities — from large to small — should implement. 

CISA developed the cybersecurity performance goals based on extensive feedback from partners to create a final product that reflects input from various groups, including federal agencies, the private sector, and international partners. The agency achieved this goal using written comments, workshops, listening sessions, and focused discussions with experts across various disciplines.

The agency identified that many organizations still need to adopt fundamental security protections, such as multi-factor authentication (MFA), strong password management, and maintaining backups, among other foundational measures, repeatedly exposing critical infrastructure to damaging cyber intrusions. 

It also detected that small- and medium-sized organizations are left behind. Organizations with limited resources or less mature cybersecurity programs often need help determining where to start to implement reasonable cybersecurity measures. While existing resources like the NIST cybersecurity framework are invaluable, small organizations need help identifying where to invest for the greatest impact on their cybersecurity posture and specific guidance on implementing cybersecurity protections.

CISA also detected a need for consistent standards and cyber maturity across critical infrastructure sectors. There is significant inconsistency in cybersecurity capabilities, investment, and baseline practices within and across critical infrastructure sectors, leading to gaps that adversaries can exploit to cause functional and cascading impacts.

The security agency also ascertained that OT cybersecurity often remains overlooked and under-resourced. The cybersecurity industry is still largely focused on business IT systems, often neglecting the critical risk in OT, which were designed to optimize reliability and availability and often lack native security capabilities, putting critical infrastructure entities at serious risk as more OT devices become network-connected. 

Even so, many critical infrastructure entities lack adequate OT cybersecurity programs, especially where cybersecurity is still seen as primarily an IT concern. Furthermore, entities that do have OT cybersecurity programs often lack basic OT cyber protections and are unable to find relevant OT-specific guidance for their environments.

In addition to the list of cybersecurity performance goals, there is a user-friendly worksheet for asset owners and operators to review and prioritize which goals to implement, track the current and future state of CPG implementation, and communicate the priorities, trade-offs, and statuses of the CPGs to other stakeholders, such as non-technical executives. The worksheet includes general estimates of the cost, complexity, and impact of implementing each goal. These estimates are intended to be used as an aid to help inform investment strategy to address known gaps in baseline cybersecurity capability. 

Organizations should review their security programs and controls to determine which cybersecurity performance goals are already implemented. For example, organizations may have already implemented CPGs-based adherence to existing guidance or regulation, such as NIST CSF or ISA 62443, and all CPGs are mapped to corresponding controls in those common frameworks. 

Additionally, organizations review gaps in their CPG implementation and prioritize those areas for investment based on factors such as cost, complexity, and impact, which are all included in the CPG worksheet. Then, organizations can start implementing the prioritized gaps identified in the previous steps. Some organizations may find materials such as the worksheet helpful when working with their leadership to request funding for cybersecurity-focused projects.

Organizations must review progress regularly after 12 months. To track progress towards improved cybersecurity practices, organizations should go through the worksheet after 12 months to capture progress, both for their leadership and third parties.

Following the release of the CPGs, CISA will continue taking input and welcome feedback from partners from the critical infrastructure community. The agency has set up a Discussions page to receive feedback and ideas for new CPGs, plans to regularly update the CPGs at least every six to twelve months, and will work directly with individual critical infrastructure sectors as the agency builds out sector-specific CPGs in the coming months. 

The CISA said that with the completion of the cross-sector cybersecurity performance goals, the agency would work with each Sector Risk Management Agency (SRMA) to develop sector-specific goals. The process will be done by identifying any additional cybersecurity practices not already included in the common baseline needed to ensure the safe and reliable operation of critical infrastructure in that sector. 

It will also provide examples for recommended actions specific to the infrastructure and entities in that sector, and map any existing requirements, such as regulations or security directives to the common baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.

Earlier this month, the U.S. administration announced a ‘relentless focus’ on improving the nation’s cyber defenses, building a comprehensive approach to ‘lock our digital doors’ and carry out aggressive action to strengthen and safeguard its cybersecurity. The federal government has been working to improve domestic cybersecurity and bolster national resilience, mandating extensive cybersecurity measures while creating public-private partnerships and initiatives to enhance cybersecurity across critical infrastructure sectors.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.