The Department of Homeland Security (DHS), has released a set of the “highest priority” baseline security measures for infrastructure owners and operators to enact to protect themselves against cyber threats.
With cyberattacks raising the stakes by zeroing in on infrastructure facilities, DHS and the Cybersecurity and Infrastructure Security Agency (CISA), through which the performance goals were issued, have made clear not only their concern over potential assaults on the sector but also the defensive challenges owners and operators face.
Performance Goals Outlined
The Cross-Sector Cybersecurity Performance Goals (CPGs) cover the following:
- Account Security
- Device Security
- Data Security
- Governance and Training
- Vulnerability Management
- Supply Chain/Third Party
- Response and Recovery
In working with third-party suppliers such as managed security service providers, as regards supply chain incident reporting, the CPG's specify the following:
"Procurement documents and contracts, such as Service Level Agreements (SLAs), stipulate that vendors and/or service providers notify the procuring customer of security incidents within a risk-informed timeframe as determined by the organization."
CISA said it had worked with “hundreds of public and private sector partners and analyzed years of data” to identify the key challenges that leave our nation at unacceptable risk. Measurable goals such as cost, complexity and impact were factored into setting the goals, which were designed to apply to organizations of all sizes, the agency said.
Goals Reflect NIST Framework
Jen Easterly, CISA director, wrote about how the goals are intended as an addition to the NIST Cybersecurity Framework:
“It became clear that even with comprehensive guidance from sources like the NIST Cybersecurity Framework, many organizations would benefit from help identifying and prioritizing the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk. The Cross-Sector Cybersecurity Performance Goals strive to address this need by providing an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks.”
In the coming months, CISA said it will seek feedback on the CPGs from the critical infrastructure community. The agency has already established a webpage dedicated to subject matter discussion. The agency said it will also begin working directly with individual critical infrastructure sectors as it builds out sector-specific CPGs.