Digesting CISA’s Cross-Sector Cybersecurity Performance Goals

Last month, CISA released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Even as basics to cyber hygiene, it is important to understand the released voluntary practices.  

The CPGs were established after analysis on the public and private sectors efforts to protect, detect, and respond to cyber incidents in the past years. Through the analysis, four key challenges were uncovered that leave the United States at high risk. These four challenges were then confronted through the development of the cross-sector CPGs and include: 

• Lack of Basic Cyber Hygiene: Without basic fundamental security protections, organizations expose unnecessary risks to cyber incidents as threat actors target intrusions against basic protections. The CPGs developed hope to address these fundamental security protections in eight domains defined below.

• Unclear Investment Prioritization: As stated in the report, “small and medium-sized organizations are left behind”. Due to resource constraints and insufficient cyber maturity, organizations struggle to understand where to make the most impactful cybersecurity investment with the limited resources and funds at their disposal.  With the baseline CPGs, the goal is to aid organizations with actionable, cost conscious activities to focus on for basic cyber hygiene. By including cost, impact and complexity for each CPG, it is easy for organizations to prioritize the basic cyber practices. 

• Inconsistent Standards and Cyber Maturity: Inadequate capabilities, investments and cyber hygiene make essential cybersecurity practices hard to define. Specifically, across the critical infrastructure sectors, CPGs look to address the fundamental inconsistencies to minimize cascading impacts of exploitations.  

• Limited Scope: Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices. 

These key challenges are addressed by the attestable CPGs and reduce risks for critical infrastructure operations and protection, detection, and response capabilities cross-sector. Organized in 8 domains including account security, device security, data security, governance and training, vulnerability management, supply chain / third party, response and recovery, and other, there is a goal to address the basics of any cybersecurity program. With 37 goals in total, implementation can seem like a daunting task. Here are a few key steps that can ease the implementation process:

• Establish a Baseline: As part of the release, CISA created a checklist (PDF) for organizations to establish their current maturity against each of the performance goals.  The checklist can help  assess your organization’s current state against the goal to determine if it  has been implemented,is in progress, scoped, or not yet started.  

• Define Prioritization Criteria: CISA’s CPG core document (PDF) and checklist provide inputs that can be used to determine the criteria most important to your organization as you look to prioritize the implementation of each goal.  Beyond the status of the goal in their current security roadmap, other inputs such as cost, impact and complexity can be leveraged as criteria to prioritize which goals would have the largest impact in your security journey.  

• Establish an Implementation Strategy: Leverage the recommended actions and relevant TTPs for each goal to develop a detailed approach to goal implementation in your organization’s environment.  Depending on your organization’s maturity, recommended actions may need to be altered to best align to where you currently are on your journey.

Basic cyber hygiene may seem rudimentary, but as highlighted in CISA’s four key challenges above, it is something organizations of all sizes struggle with. Lack of a defined floor to cybersecurity is causing significant cyber risk to our nation. CISA’s cross-sector cybersecurity performance goals look to put baseline maturity activities on paper so that the goals can be leveraged by all.