Updated on 2022-10-27: DHS Releases Cross-Sector Cybersecurity Performance Goals
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released cybersecurity performance goals and metrics designed to help entities in multiple industrial sectors improve their cybersecurity posture. While the goals were developed with critical infrastructure organizations in mind, other private sector companies could benefit from them as well. The documents include best practices for eight areas, including account security, device security, vulnerability management, and supply chain/third party security. CISA has set up a discussion page to receive feedback on the goals.
Note
- Improving cybersecurity of critical infrastructure is a national priority. Current fragmented efforts by each industry sector point to the need for a common and prioritized set of safeguards to achieve a baseline cybersecurity posture. The CIS Critical Security Controls, starting with implementation group 1 are measurably effective against the top five attack types being used against every industry sector.
- The Cybersecurity Performance Goals (CPGs) are intended to be a fast-start guide to implementing the larger NIST CSF and are intended to be broadly applicable. CISA and NIST would like to see all organizations leverage the CSF, which is intended to not only be cross-sector and cross-industry relevant, but also maps to multiple security frameworks (NIST, ISO, etc.) NIST is setting up a discussions website, leveraging GitHub discussions, for feedback on the CPGs. See the NIST cross-sector CPG site: https://www.cisa.gov/cpg for the goals as well as links to the discussion site.
- Whether or not an enterprise is “critical infrastructure organization,” if it attaches to the public networks, it becomes a part of our collective infrastructure and should behave accordingly.
Read more in
- DHS Announces New Cybersecurity Performance Goals for Critical Infrastructure
- cisagov / cybersecurity-performance-goals
- Cross-Sector Cybersecurity Performance Goals (PDF)
- CPG Checklist (PDF)
- DHS rolls out new cyber performance goals for private sector
- CISA Rolls Out Voluntary Cyber Goals for Critical Infrastructure
Overview: CISA’s Critical Infrastructure Cybersecurity Sector Focus for 2023: Water, Hospitals, K-12
Speaking to an audience at the Mandiant mWISE cybersecurity conference last week, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said that her agency will concentrate on the water, health, and education sectors over the next year, three areas of focus that are identified as being “target-rich, resource-poor entities.” IN 2020, CISA identified 16 critical infrastructure sectors that need cybersecurity attention. The education sector is not included in that list, but it is a broad target and often hit with ransomware attacks. Easterly also said that CISA plans to publish cross-sector cybersecurity performance goals, developed with the National Institute of Standards and Technology (NIST), next week.
Note
- This continues the focus on critical infrastructure, as promised. This also focuses on the model that these critical sector components are tight on resources and funding, which hopefully will either result in low-cost guidance and/or funded services to help raise the bar without creating a regulatory impossible dream. If nothing else, guidance can be leveraged to help self-assessments to a risk-based approach to making (affordable) improvements.
Read more in
