Security Experts:

Connect with us

Hi, what are you looking for?



Digesting CISA’s Cross-Sector Cybersecurity Performance Goals

Last month, CISA released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems.

Last month, CISA released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Even as basics to cyber hygiene, it is important to understand the released voluntary practices.  

The CPGs were established after analysis on the public and private sectors efforts to protect, detect, and respond to cyber incidents in the past years. Through the analysis, four key challenges were uncovered that leave the United States at high risk. These four challenges were then confronted through the development of the cross-sector CPGs and include: 

• Lack of Basic Cyber Hygiene: Without basic fundamental security protections, organizations expose unnecessary risks to cyber incidents as threat actors target intrusions against basic protections. The CPGs developed hope to address these fundamental security protections in eight domains defined below.

• Unclear Investment Prioritization: As stated in the report, “small and medium-sized organizations are left behind”. Due to resource constraints and insufficient cyber maturity, organizations struggle to understand where to make the most impactful cybersecurity investment with the limited resources and funds at their disposal.  With the baseline CPGs, the goal is to aid organizations with actionable, cost conscious activities to focus on for basic cyber hygiene. By including cost, impact and complexity for each CPG, it is easy for organizations to prioritize the basic cyber practices. 

• Inconsistent Standards and Cyber Maturity: Inadequate capabilities, investments and cyber hygiene make essential cybersecurity practices hard to define. Specifically, across the critical infrastructure sectors, CPGs look to address the fundamental inconsistencies to minimize cascading impacts of exploitations.  

• Limited Scope: Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices. 

These key challenges are addressed by the attestable CPGs and reduce risks for critical infrastructure operations and protection, detection, and response capabilities cross-sector. Organized in 8 domains including account security, device security, data security, governance and training, vulnerability management, supply chain / third party, response and recovery, and other, there is a goal to address the basics of any cybersecurity program. With 37 goals in total, implementation can seem like a daunting task. Here are a few key steps that can ease the implementation process:

• Establish a Baseline: As part of the release, CISA created a checklist (PDF) for organizations to establish their current maturity against each of the performance goals.  The checklist can help  assess your organization’s current state against the goal to determine if it  has been implemented,is in progress, scoped, or not yet started.  

• Define Prioritization Criteria: CISA’s CPG core document (PDF) and checklist provide inputs that can be used to determine the criteria most important to your organization as you look to prioritize the implementation of each goal.  Beyond the status of the goal in their current security roadmap, other inputs such as cost, impact and complexity can be leveraged as criteria to prioritize which goals would have the largest impact in your security journey.  

• Establish an Implementation Strategy: Leverage the recommended actions and relevant TTPs for each goal to develop a detailed approach to goal implementation in your organization’s environment.  Depending on your organization’s maturity, recommended actions may need to be altered to best align to where you currently are on your journey.

Basic cyber hygiene may seem rudimentary, but as highlighted in CISA’s four key challenges above, it is something organizations of all sizes struggle with. Lack of a defined floor to cybersecurity is causing significant cyber risk to our nation. CISA’s cross-sector cybersecurity performance goals look to put baseline maturity activities on paper so that the goals can be leveraged by all.  

Written By

Gordon Lawson is CEO of Conceal, a company that uses Zero Trust isolation technology to defend against sophisticated cyber threats, malware and ransomware at the edge. Previously, he served as president at RangeForce Inc. Gordon has nearly two decades of experience in the security sector with a focus on SaaS optimization and global enterprise business development from global companies including Reversing Labs, Cofense (formerly PhishMe) and Pictometry. As a naval officer, Gordon conducted operational deployments to the Arabian Gulf and Horn of Africa, as well as assignments with the Defense Intelligence Agency, US Marine Corps, and Special Operations Command. He is a graduate of the US Naval Academy and holds an MBA from George Washington University.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...