The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new set of voluntary Cybersecurity Performance Goals that outline he highest priority baseline measures that businesses and critical infrastructure owners can take to protect themselves against cyber threats.
The Cybersecurity Performance Goals (CPGs), developed by the Department of Homeland Security (DHS) and CISA at the direction of the White House, are the product of a yearlong effort and partnership with hundreds of public and private sector organizations and an analysis of years of data to identify key security challenges.
According to DHS and CISA, the goals are based on easily understandable criteria such as cost, complexity, and impact and are designed to be applicable to organizations of all sizes.
CISA developed the CPGs in close partnership with the National Institute for Standards and Technology, and they are intended to be implemented alongside the NIST Cybersecurity Framework. CISA calls on every organization to use the NIST framework to develop a comprehensive cybersecurity program and use the CPGs as an “abridged subset of actions” and as a kind of “QuickStart guide” for the NIST framework to help organizations prioritize security investments.
The 28-page core document includes guidance on account security, device security, data security, governance and training, vulnerability management, supply chain and third party risk, response and recovery, network segmentation, detecting relevant threats and email security.
The resources also include a checklist to be used in tandem with the CPGs, a master source document that incudes all reference information and resource links and a GitHub Discussion page established by CISA to discuss and collaborate on community-proposed additions, changes and other considerations for future versions of the goals.
According to Jen Easterly, director of CISA, a set of baseline cybersecurity goals can help reduce risk to critical infrastructure and supply chains. The CPGs developed by the agency are designed to address medium-to-high impact cybersecurity risks to the U.S.’s critical infrastructure.
In the months ahead, CISA will actively seek feedback on the CPGs from partners across the critical infrastructure community. CISA will also begin working directly with individual critical infrastructure sectors as it builds out sector-specific CPGs in the coming months, the agency says.
“For months, we’ve been gathering input from our partners across the public and private sectors to put together a set of concrete actions that critical infrastructure owners can take to drive down risk to their systems, networks and data,” Easterly says. “We look forward to seeing these goals implemented over the coming years and to receiving additional feedback on how we can improve future versions to most effectively reduce cybersecurity risk to our country.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply