How Can You Lower Risk with CISA’s Cybersecurity Performance Goals?

How Can You Lower Risk with CISA's Cybersecurity Performance Goals

Recently, the US Cybersecurity and Infrastructure Security Agency (CISA) announced the release of voluntary cross-sector Cybersecurity Performance Goals (CPGs), created in conjunction with the National Institute of Standards and Technology (NIST) and the interagency community.

Why did they create these goals? Because, in 2021, President Biden asked CISA to create sector-agnostic guidance for organizations that use IT and operational technology (OT) to better protect our nation from state hacking and other cybersecurity threats.

Here’s everything you need to know about the CPGs and how they can help your company. 

What Are the Cybersecurity Performance Goals? 

In a statement about the CPGs, CISA explained that these goals are:

“a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.” 

Note that the CPGs are goals, not mandates. They are voluntary, so you don’t have to implement them – but you may well want to.

The CPGs correlate strongly with NIST’s well known Cybersecurity Framework (CSF). However, the goals aren’t as in-depth as the CSF, perhaps making them more attractive to some organizations, who may find the density of the CSF overwhelming and complex. 

Moreover, CISA noted that, “It became clear that even with comprehensive guidance from sources like the NIST Cybersecurity Framework, many organizations would benefit from help identifying and prioritizing the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk.” 

What do the Cybersecurity Performance Goals Consist Of? 

The CPGs are laid-out in a digestible 28-page PDF, with goals separated into eight topics, which are: 

  • Account security
  • Device security
  • Data security
  • Governance and training
  • Vulnerability management
  • Supply chain/third party
  • Response and recovery
  • Other

Within each topic, there are several goals that organizations can focus on. The goals work backwards, starting with the desired outcome that the organization should reach, followed by actions and controls to implement to reach this outcome. 

We think that the layout of the CPGs is really valuable for small businesses. The format is intuitive and easy to understand, and the document does a good job of simplifying often complex cybersecurity languages. 

The CPGs Aren’t Final Just Yet 

While the CPG document is a great source of cybersecurity information and inspiration, it’s still a work in progress. With this release, CISA is hoping to gain industry feedback from organizations and cybersecurity bodies, so they can further improve the goals and ensure they haven’t missed out anything important. 

From our view, we expect to see a bigger focus on supply chain security in future iterations. We also think CISA should spend more time explaining and advising on network security goals, which are often overlooked by small businesses these days. 

Will The CPGs Always Be Voluntary? 

For now, CISA has made certain that the CPGs are voluntary, but this may change over time, especially if CISA wants organizations to adopt their goals on a widespread basis. Without mandating the goals, there’s no real motivation for companies to make changes to their cybersecurity processes – other than, of course, the fear of suffering a data breach or cyber attack. 

However, we think that many organizations working with government organizations may begin adopting the CPGs in order to ensure they maintain their contracts. While the goals are voluntary, it may be that the government chooses to work with companies that can evidence they adhere to the CPGs, or are working towards this status. 

Looking to the Future

While the voluntary status of the CPGs hangs in the balance, one thing is for certain: these goals are an excellent benchmark that compliance regulators, cybersecurity insurers and business leaders can use to glean insights about their cybersecurity performance in comparison to best practice. 

Moreover, for companies in the critical infrastructure concerned about cybersecurity but struggling to obtain a budget from their leadership team, the CPGs can be used to highlight the significance of effective cybersecurity to stakeholders. Plus, for organizations unsure of how to prioritize cybersecurity, the CPGs offer a well-framed formula for implementing cybersecurity measures that make a real difference. 

How Can I Implement The CPGs In My Organization?

If the CPGs are relevant to your organization but you don’t have an IT or security team to spearhead implementation, the best thing you can do is work with a specialist managed IT provider with deep knowledge of cybersecurity, operational technology and information technology.

That’s where we come in. Unbound Digital’s specialist team is highly familiar with the NIST CSF and the new CPGs. We can help your organization understand whether the CPGs are right for you. If they are, we’ll take care of implementation for you. For organizations looking to genuinely improve their cybersecurity maturity, we can also create a bespoke security program that protects you from the latest threats 24/7. 

Contact us today to find out more.