CISA releases cybersecurity performance goals to reduce risk and impact of adversarial threats

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) released voluntary cross-sector Cybersecurity Performance Goals (CPGs). CISA was required to produce the CPGs under a national security memo on improving cybersecurity for critical infrastructure control systems issued by President Biden in July 2021. Working in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, CISA developed “baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors.”

CISA says these goals are “a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.” Stressing that the goals are voluntary and not comprehensive, CISA modeled the CPGs on the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners but mostly leaned on NIST’s Cybersecurity Framework (CSF).

Despite wide praise for the CSF, CISA felt compelled to offer a simpler, more bite-sized, and abridged version of NIST’s framework. “It became clear that even with comprehensive guidance from sources like the NIST Cybersecurity Framework, many organizations would benefit from help identifying and prioritizing the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk,” CISA Director Jen Easterly says in the introduction to the CPGs.

CISA, however, made clear that the NIST Framework is still the real deal. “While the CPGs are mapped to corresponding subcategories in the NIST CSF, CISA still recommends that organizations use NIST CSF to design and mature a comprehensive cybersecurity program,” CISA said.

Each goal comprises the desired outcome, TTP/risk addressed, security practice, scope, recommended action, and CSF reference (the subcategory most closely relates to the security practice.) The goals are spelled out in a “quick start guide,” a short 28-page document. They are clustered around eight succinctly detailed topics, including:

• Account security
• Device security
• Data security
• Governance and training
• Vulnerability management
• Supply chain/third party
• Response and recovery
• Other

CISA’s goals are a “good first step”

Reaction to CISA’s release was generally positive. Representatives Bennie G. Thompson (D-MS), chairman of the Committee on Homeland Security, and Yvette D. Clarke (D-NY), chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation, issued a statement saying the “Cybersecurity Performance Goals for Critical Infrastructure (CPGs) will help simplify security decisions for owners and operators, and set clear expectations about the baseline security controls that should be in place for essential services and functions.”

Patrick Miller, president and CEO of Ampere Industrial Security and one of the industry leaders who advised CISA as it drafted the CPGs, tells CSO he thinks CISA’s document “is a really good first step.” The CPGs will “obviously need to change, not just because they’ll be refined over time,” but CISA will “get more industry feedback as people actually walk through it.”

Tom Bossert, president of Trinity Cyber and former homeland security advisor to the two most recent Republican presidents, reviewed copies of the CPG document before its release, he tells CSO. “I wish all compliance lists were this straightforward and well thought out. In order to get a better likelihood of the target audience adopting these guidelines, you want to make sure they’re clear and understandable. And that’s exactly what they are. These are way more approachable than the NIST Framework, which can be daunting and thick and sometimes the equivalent of giving a student War and Peace.”

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation and executive director of Cybersolarium.org, tells CSO that the CPGs are “really important for small- and medium-sized businesses.” Big companies, “what I would call the systemically important critical infrastructure structure, or what Jen Easterly might call the priority systemically important entities,” are less likely to need the kind of easily digested advice contained in the CPGs, Montgomery says, because they have already studied the NIST Framework and are implementing more ambitious programs. “This is about that big middle, and for that reason, I think there’s value in this,” he says.

Room for improvement on cybersecurity goals

CISA plans to work with critical infrastructure sectors to enhance the goals as it begins the development of sector-specific goals and to identify any additional cybersecurity practices not already included in its common baseline. Bossert said that based on his review, there don’t seem to be any network security controls referenced. “That’s a place where I’m going to work with them to see if we can flush out the adoption of new capabilities.”

“I would say there are other things they missed,” Montgomery says, such as controls listed in NIST’s 800 series of security publications or the ISA Secure set of security tools and documents. “That might have been an advantage [for CISA] in more readily acknowledging the other tools that are available.”

Although supply chain is referenced in the goals, “I think that over time they’re going to come back to it, Montgomery says, “I suspect the next time we see this updated, we’ll see a larger section on supply chain.”

How long will the cybersecurity goals stay voluntary?

Although CISA stresses that the CPGs are strictly voluntary, some say the fact that the NIST CSF has now been incorporated into recommendations by CISA under a White House national security memorandum moves the desired cybersecurity outcomes closer to becoming regulatory requirements. “Anytime the federal government issues something like this, it’s going to be air quotes ‘voluntary’ until you’re voluntold, and then you’ll just be told,” Miller says.

According to Miller, it would behoove organizations to embrace the CPGs to improve their cybersecurity postures and, perhaps, stave off regulation. “I’m a big DHS fan, but if you don’t respond in a meaningful way, there will likely be regulation to follow. “We know, based on the memorandum, that if we don’t participate, we could very realistically face additional regulations that will probably look a lot like these in the future. So, we could probably at least start going down this path and start showing some progress.”

“I don’t think anyone would be surprised to hear that this administration has been signaling an intention to regulate the industry on cybersecurity in maybe a significant way,” Bossert says. “People are trying to read tea leaves, and those who are trying to read tea leaves are going to read [the CPGs] as maybe this is the first step. And maybe the second step will be to turn these into compulsory regulatory requirements. For now, I don’t read it that way.”

CISA goals might lead to industry cybersecurity best practices

Whatever the case, the CPGs are establishing benchmarks that regulators, insurers, and executives can use as guidelines for assessing cybersecurity performance according to a more formal rubric. “Having the Department of Homeland Security put this out gives it an extra level of attention that may capture the attention of boards and senior leadership,” says Montgomery.

The CPGs “can go a long way if you’re struggling to get budget or resources,” Miller says. “If DHS is asking, that gives you a little bit of extra push” to gain funding from upper management for cybersecurity or get them to help in some other way.

“Because DHS has issued these, now it’s in a practical sense, more likely that companies in the critical infrastructure sector are going to adopt these as best practices or as industry standards,” Bossert says. “I think it’s not about the government right now telling them that they have to, but if all of the similarly situated companies in their sector adopt them, those become the baseline standard for negligence. Once common standards materialize inside any industry or industry segment, they tend to form a baseline of good practice and conduct that others meet and hopefully meet or exceed.”