CISA unveils voluntary cybersecurity performance goals

The goals are voluntary, but the Biden administration is separately pressing certain critical infrastructure sectors to adopt minimum cyber standards.

The Cybersecurity and Infrastructure Security Agency has issued cybersecurity performance goals to help critical infrastructure operators and other companies prioritize the adoption of key security measures.

The performance goals issued today are based on the National Institute of Standards and Technology Cybersecurity Framework. CISA describes the goals document as a “quick-start guide” to help organizations start adopting the NIST framework and a more comprehensive cybersecurity program. The goals apply to both information technology and operational technology.

“The goals were developed to really represent a minimum baseline of cybersecurity measures that, if implemented, will reduce not only risk to critical infrastructure, but also to national security, economic security and public health and safety,” CISA Director Jen Easterly said in a call with reporters this morning.

She said the measures were developed with feedback from “hundreds of organizations across the government and the private sector, as well as our international partners.”

President Joe Biden directed the Department of Homeland Security to develop the cybersecurity performance goals under a national security memorandum issued last July. The goals are voluntary, although the Biden administration is separately moving forward with cyber regulations for specific critical infrastructure sectors.

“Whether these are used by regulatory agencies or by others as part of the standards that they go to look at for those purposes, I would leave it to them,” Easterly said. “We see these as voluntary tools that any business, large and small, critical infrastructure, can take to ensure the resilience of their systems and to drive down risk.”

Biden’s memorandum additionally directed DHS to develop “sector-specific” goals, and allows for consideration of whether new authorities are necessary to better defend critical infrastructure.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said his agency is initiating talks with sector risk management agencies this week to consider how to build upon the cross-sector goals issued today.

“Certainly where CISA serves as the sector risk management agency, we are going to have deep and collaborative conversations with those sectors who we serve,” Goldstein said. “And for sectors where we are not the sector risk management agency, we are working closely with each SRMA to understand how the cross sector goals apply to their sectors and the need to develop sectoral goals in the near or medium term. And that’s a process that’s going to be ongoing in the months to come.”

The cybersecurity measures are also relevant for federal agencies. Goldstein said they are consistent with measures outlined in last May’s cybersecurity executive order, as well as the federal zero trust strategy published in January.

“We are absolutely intending to integrate these goals in the guidance, the assessment, the measurement of federal agencies that we undertake with our partners at the Office of Management and Budget and the Office of the National Cyber Director,” Goldstein said.

CISA also notes that the goals are not intended to be comprehensive. “They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety,” CISA states on its website. “They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors. ”

In a statement, Ari Schwartz, executive director of the Cybersecurity Coalition, applauded CISA’s work “under tight timelines” for releasing the goals. Schwartz served in the White House as special assistant to the president and senior director for cybersecurity during the Obama administration.

“It is clear that the main thing that stakeholders have been asking for, organization around the NIST Cybersecurity Framework Categories, still needs some work,” Schwartz said. “CISA has told us that their future efforts on the Performance Goals will address this issue and we look forward to working with them to ensure that organizations are most efficiently able to use this product.”


Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News Network

    Biden administration’s cyber regulatory plan comes into focus

    Read more
    Getty Images/iStockphoto/TU IS

    Federal efforts on critical infrastructure cybersecurity come under White House review

    Read more
    AP Photo/Ted ShaffreyColonial Pipeline storage tanks are seen in Woodbridge, N.J., Monday, May 10, 2021. Gasoline futures are ticking higher following a cyberextortion attempt on the Colonial Pipeline, a vital U.S. pipeline that carries fuel from the Gulf Coast to the Northeast. (AP Photo/Ted Shaffrey)

    Biden administration eyes mandates under new effort to improve critical infrastructure cybersecurity

    Read more