CISA’s Cyber Performance Goals for Better Security

Originally published by Orca Security.

Written by Doug Hudson.

Last year, the Cybersecurity and Infrastructure Security Agency (CISA) released its 2022 Cross-Sector Cybersecurity Performance Goals in order to provide guidance for improving cybersecurity across government and private sector organizations. This was the initial publication from CISA and will be updated regularly with coordination from NIST, with a targeted revision cycle of at least every 6 to 12 months. A key component of this publication is to deliver a set of cybersecurity protective measures that any organization can implement.

Key Cybersecurity Challenges

CISA worked with numerous organizations across a range of industries, identifying four key cybersecurity challenges that US organizations face:

1. Organizations have not adopted fundamental security protections
2. Mid and small market organizations are left behind
3. Consistent cybersecurity standards and maturity are lacking
4. Operational Technology (OT) cybersecurity remains overlooked and under-resourced

In identifying these challenges, CISA highlights focus areas where organizations can concentrate their efforts to reduce their overall cyber risk. Additionally, these four key challenges set the foundation for establishing CISA’s Cyber Performance Goals (CPGs) and associated characteristics:

• A prioritized subset of cybersecurity practices
• For IT and OT
• Prioritized for risk reduction
• Informed by threats observed by CISA and its government and industry partners
• Applicable across all Critical Infrastructure (CI) sectors
• Intended to meaningfully reduce risks to both CI operations and to the American people

Generally stated, these CPGs provide an organized set of cybersecurity practices for establishing the foundation of an adequate cyber risk posture. Further, this foundation will enable organizations to build solid cybersecurity practices while managing and maintaining a strong cyber risk posture.

For clarity, the CPGs selected are based on the following criteria:

1. Significantly and directly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary TTPs.
2. Clear, actionable, and easily definable.
3. Reasonably straightforward and not cost-prohibitive for even small- and medium-sized entities to successfully implement.

It should also be noted what the CPGs are not:

• Designed to be the cybersecurity or risk management program for an organization since they do not discuss the general practices in risk management.
• Not fully inclusive of every cybersecurity practice an organization should employ, but rather set the foundation on which to build upon.
• Not a maturity model and not mandated by CISA.

Understanding the Cyber Performance Goals Model

As stated above, CISA’s CPG model is designed to be actionable, targeted, and to reduce risk. For example, section 1.1 Detection of Unsuccessful (Automated) Login Attempts of the CPG Worksheet – Account Security, defines the outcome “Protect organizations from Automated, credential-based attacks,” the Risk Addressed, Scope, and Recommended Action.

These are also aligned to NIST Cybersecurity Framework (CSF) for reference and to enable tracking with organizational compliance and risk management practice requirements. This model is visualized so that organizations can easily interpret the intention and outcome of each goal. To this end, each goal is broken down into base components.

There are additional free resources and materials for practitioners that will assist in prioritization of CPGs for their organization, tracking implementation status, and communications with stakeholders. Further guidance and instructions on CPG worksheet use can be found here.