The Department of Homeland Security released highly anticipated cybersecurity performance goals designed to establish baseline measures that businesses and critical infrastructure providers can take to mitigate the impact of malicious cyberattacks.
The Cybersecurity and Infrastructure Security Agency developed the goals in close partnership with the National Institute for Standards and Technology, with the intent they would be implemented under the umbrella of the NIST Cybersecurity Framework.
“To reduce risk to the infrastructure and supply chains that Americans rely on every day, we must have a set of baseline cybersecurity goals that are consistent across all critical infrastructure sectors,” CISA Director Jen Easterly said in the announcement. “CISA has created such a set of cybersecurity performance goals to address medium-to-high impact cybersecurity risks to our critical infrastructure.”
CISA, a unit of DHS, developed the performance goals following a push by the White House to establish a more resilient national infrastructure following the SolarWinds supply chain attack in 2020 and a spate of ransomware attacks highlighted by the May 2021 Colonial Pipeline attack.
CISA emphasized the performance goals were voluntary, with no mandate for adoption or reporting to any particular government agency.
While the agency has released sector-specific cyber guidance for certain critical infrastructure sectors, including oil and gas pipelines and railroads, the cybersecurity performance goals are intended to apply broadly.
The benchmarks include security basics such as requiring unique credentials, asset inventory, disabling macros by default and log collection.
CISA plans to seek feedback from partners in the critical infrastructure community on the cybersecurity performance goals, and has set up a discussions webpage to accept that input. CISA also plans to work with specific critical infrastructure sectors, while it builds out sector-specific goals over the next few months.
Gartner VP Analyst Katell Thielemann said the announced goals represented a solid list of cyber hygiene efforts, but cautioned the devil will be in the details when it comes to implementation and noted that a planned GitHub forum will be a helpful tool.
“Most importantly, when it comes to cyber-physical systems in OT environments the upcoming sector specific goals are going to be key,” Thielemann said. “Unlike IT systems that tend to be standardized and cut across all verticals, cyber-physical security mandates a deep understanding of the operational business environments in which they operate, and therefore deep vertical industry knowledge is a must.”
