Today, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a set of baseline cybersecurity recommended actions and guidelines for use by critical infrastructure owners and operators.
The Cybersecurity Performance Goals (CPGs) represent a high-priority set of cybersecurity outcomes and recommended actions that organizations can utilize to align security investments toward the most impactful risk-reduction activities.
The CPGs cover a suite of cyber protections that, when implemented, can help reduce the risk to operations of critical infrastructure and, as a result, daily life for most Americans.
“To reduce risk to the infrastructure and supply chains that Americans rely on every day, we must have a set of baseline cybersecurity goals that are consistent across all critical infrastructure sectors,” said CISA Director Jen Easterly. “CISA has created such a set of cybersecurity performance goals to address medium-to-high impact cybersecurity risks to our critical infrastructure. For months, we’ve been gathering input from our partners across the public and private sectors to put together a set of concrete actions that critical infrastructure owners can take to drive down risk to their systems, networks, and data. We look forward to seeing these goals implemented over the coming years and to receiving additional feedback on how we can improve future versions to most effectively reduce cybersecurity risk to our country.”
Over the past year, CISA worked with hundreds of partners across all states and territories and in each of CISA’s ten regions. Through this collaboration, CISA received thousands of comments and analyzed years of data related to assessing, protecting, and responding to cyber incidents. That feedback identified key challenges and unacceptable risk in different sectors of infrastructure, nationwide.
“Put simply, the CPGs are high-priority cybersecurity recommendations intended to help critical infrastructure organizations reduce risk from malicious cyber activity. As directed by the White House, the CPGs were designed to meaningfully reduce risks to critical infrastructure operations and at the same time promote the security and resilience of essential services upon which the American people depend” said CISA Region 4 Director Harvey Perriott.
The resulting Cybersecurity Performance Goals will guide organizations through specific mitigations, programs to adopt, and planning to address: account security, device security, data security, governance and training, vulnerability management, supply chain and third-party risk, and response and recovery plans and techniques.
“Organizations can use the CPGs in several ways. For example, they can be used to prioritize security investments, to more effectively identify cybersecurity risk and maturity across the organization’s suppliers, vendors, or business partners, and to benchmark progress toward the most consequential security outcomes.” said Perriott.
Following the release of the CPGs, CISA will continue taking input and welcomes feedback from partners from across the critical infrastructure community. In fact, CISA has already set up a Discussions page to receive feedback and ideas for new CPGs, plans to regularly update the CPGs and will work directly with individual critical infrastructure sectors as we build out sector-specific CPGs in the coming months. To learn more about working with CISA on the CPGs, contact CISA Region 4 via this email.
By Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency