The Cybersecurity and Infrastructure Security Agency has issued cybersecurity performance goals to help critical infrastructure operators and other companies prioritize the adoption of key security measures.
The performance goals issued today are based on the National Institute of Standards and Technology Cybersecurity Framework. CISA describes the goals document as a “quick-start guide” to help organizations start adopting the NIST framework and a more comprehensive cybersecurity program. The goals apply to both information technology and operational technology.
“The goals were developed to really represent a minimum baseline of cybersecurity measures that, if implemented, will reduce not only risk to critical infrastructure, but also to national security, economic security and public health and safety,” CISA Director Jen Easterly said in a call with reporters this morning.
She said the measures were developed with feedback from “hundreds of organizations across the government and the private sector, as well as our international partners.”
“Whether these are used by regulatory agencies or by others as part of the standards that they go to look at for those purposes, I would leave it to them,” Easterly said. “We see these as voluntary tools that any business, large and small, critical infrastructure, can take to ensure the resilience of their systems and to drive down risk.”
Biden’s memorandum additionally directed DHS to develop “sector-specific” goals, and allows for consideration of whether new authorities are necessary to better defend critical infrastructure.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said his agency is initiating talks with sector risk management agencies this week to consider how to build upon the cross-sector goals issued today.
“Certainly where CISA serves as the sector risk management agency, we are going to have deep and collaborative conversations with those sectors who we serve,” Goldstein said. “And for sectors where we are not the sector risk management agency, we are working closely with each SRMA to understand how the cross sector goals apply to their sectors and the need to develop sectoral goals in the near or medium term. And that’s a process that’s going to be ongoing in the months to come.”
“We are absolutely intending to integrate these goals in the guidance, the assessment, the measurement of federal agencies that we undertake with our partners at the Office of Management and Budget and the Office of the National Cyber Director,” Goldstein said.
CISA also notes that the goals are not intended to be comprehensive. “They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety,” CISA states on its website. “They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors. ”
In a statement, Ari Schwartz, executive director of the Cybersecurity Coalition, applauded CISA’s work “under tight timelines” for releasing the goals. Schwartz served in the White House as special assistant to the president and senior director for cybersecurity during the Obama administration.
“It is clear that the main thing that stakeholders have been asking for, organization around the NIST Cybersecurity Framework Categories, still needs some work,” Schwartz said. “CISA has told us that their future efforts on the Performance Goals will address this issue and we look forward to working with them to ensure that organizations are most efficiently able to use this product.”