The Cybersecurity and Infrastructure Security Agency has issued cybersecurity performance goals to help critical infrastructure operators and other companies prioritize the adoption of key security measures.
The performance goals issued today are based on the National Institute of Standards and Technology Cybersecurity Framework. CISA describes the goals document as a “quick-start guide” to help organizations start adopting the NIST framework and a more comprehensive cybersecurity program. The goals apply to both information technology and operational technology.
“The goals were developed to really represent a minimum baseline of cybersecurity measures that, if implemented, will reduce not only risk to critical infrastructure, but also to national security, economic security and public health and safety,” CISA Director Jen Easterly said in a call with reporters this morning.
She said the measures were developed with feedback from “hundreds of organizations across the government and the private sector, as well as our international partners.”
President Joe Biden directed the Department of Homeland Security to develop the cybersecurity performance goals under a national security memorandum issued last July. The goals are voluntary, although the Biden administration is separately moving forward with cyber regulations for specific critical infrastructure sectors.
“Whether these are used by regulatory agencies or by others as part of the standards that they go to look at for those purposes, I would leave it to them,” Easterly said. “We see these as voluntary tools that any business, large and small, critical infrastructure, can take to ensure the resilience of their systems and to drive down risk.”
Biden’s memorandum additionally directed DHS to develop “sector-specific” goals, and allows for consideration of whether new authorities are necessary to better defend critical infrastructure.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said his agency is initiating talks with sector risk management agencies this week to consider how to build upon the cross-sector goals issued today.
“Certainly where CISA serves as the sector risk management agency, we are going to have deep and collaborative conversations with those sectors who we serve,” Goldstein said. “And for sectors where we are not the sector risk management agency, we are working closely with each SRMA to understand how the cross sector goals apply to their sectors and the need to develop sectoral goals in the near or medium term. And that’s a process that’s going to be ongoing in the months to come.”
The cybersecurity measures are also relevant for federal agencies. Goldstein said they are consistent with measures outlined in last May’s cybersecurity executive order, as well as the federal zero trust strategy published in January.
“We are absolutely intending to integrate these goals in the guidance, the assessment, the measurement of federal agencies that we undertake with our partners at the Office of Management and Budget and the Office of the National Cyber Director,” Goldstein said.