The Cybersecurity and Infrastructure Security Agency (“CISA”) recently released a draft of the agency’s Cross-Sector Cybersecurity Performance Goals (“CPGs”) for critical infrastructure in the United States. The CPGs provide a common set of fundamental cybersecurity practices to guide critical infrastructure entities in measuring and improving their cybersecurity maturity.  

Developed in response to President Biden’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, the CPGs are intended to supplement the National Institute of Standards and Technology’s Cybersecurity Framework and offer a baseline of cybersecurity performance goals for Information Technology and Operational Technology.  The CPGs are divided into eight categories:

  • Account Security
  • Device Security
  • Data Security
  • Governance and Training
  • Vulnerability Management
  • Supply Chain/Third Party
  • Response and Recovery
  • Other

Each of the CPGs describes the risks the goal seeks to address, the ultimate security outcome, and the recommended actions to achieve the outcome. CISA noted that the CPGs are voluntary and designed to be easy to understand and communicate with non-technical audiences, including senior business leadership. CISA is now seeking comments on the CPGs from stakeholders in the critical infrastructure sectors via a dedicated website.

By admin