CISA releases cybersecurity performance goals

On October 27^th, the Cybersecurity and Infrastructure Security Agency (CISA) released its cybersecurity performance goals (CPGs) that seek to set high priority baseline vital practices that both critical infrastructure owners and businesses of all sizes can carry out in order to protect themselves against cyber threats.

These key performance goals have been developed by the CISA over the last year. Cyberscoop reported that the CISA has analysed years of data and worked with hundreds of private and public sector partners to identify the key challenges that could cause the US to be in a position of unacceptable risk. Alejandro N. Mayorkas; Secretary of Homeland Security stated that “organizations across the country increasingly understand that cybersecurity risk is not only a fundamental business challenge but also presents a threat to our national security and economic prosperity”. The newly developed CPGs will help businesses to make informed decisions as to how best to leverage their investments in cybersecurity with confidence so that they can protect their business whilst also safeguarding the security of the country.

The goals have been clearly outlined in a measurable format so that organisations of all sizes can adhere to them. Measurable goals include cost, impact and complexity and can be broadly applied across sixteen critical infrastructure sectors. The CISA will begin to work towards creating specific goals for each of the sixteen sectors, however these initial CPGs will serve as a primary blueprint.

The introduction of the CPGs is a timely announcement as the US is operating in an increasingly complex cyber threat driven environment. On the same day that the CISA published its CPGs, the New York Post was hacked by an employee who used twitter to share offensive articles related to the newspaper’s content. Just three days after the publication of the CPGs, on the 30^th October, Reuters reported that the CISA expressed concern about the ‘range of threats, including cyber, insider, physical and disinformation’ that coincide with the mid-term elections that will take place in the US this November. Cybersecurity official, Jen Easterly of CISA and the Biden administration has stated that the CISA is ‘distributing information about disinformation campaigns and tactics that seek to undermine confidence in US elections’, encouraging both state and local election officials to invest in measures to protect their systems from cyberattacks.

Whilst these performance goals are said to be voluntary and do not have a mandate for their adoption or a requirement, protecting national security is a grave concern for the CISA and the new CPGs reflect the Biden-Harris Administration’s efforts to and ongoing work to ensure the country is able to fight back against escalating national cyber risk and ensure the security of critical infrastructure. According to Cybersecurity Dive, the goals represent a push by the White House to create a more resilient national infrastructure following the aftermath of the supply chain attack on Solars in Winds in 2020 and the Colonial Pipeline ransomware attacks that occurred in May 2021.

CISA’s Jen Easterly also shared in Cyberscoop that the cybersecurity performance goals ‘should be useful particularly for small and medium sized businesses that are often under-resourced’. Following on from this, the cybersecurity professional also shared that she believes that ‘the cybersecurity performance goals can be thought of as a bit of a quick-start guide and can be used as a place to start to drive, prioritize investment for the most critical practices across both IT and OT’.

It is clear that the importance of cybersecurity and good cyber hygiene is a national priority within the United States. This is particularly true for the financial industry. Good cyber hygiene includes having an array of practices in place that help to minimise the risk of cyber breaches and attacks.

Understanding a company’s overall risk posture is therefore critical. RFA works alongside businesses in the financial industry to help them manage their cyber hygiene and risk posture, whilst also helping them to understand the specific threats in their field and the vulnerabilities that are unique to their organization. If you would like assistance with strengthening your risk management and cybersecurity that are aligned with clear performance goals, contact me today.