The Cybersecurity and Infrastructure Security Agency released long-awaited performance goals aimed at setting baseline vital practices for critical infrastructure.
The agency created the voluntary goals to broadly apply across all 16 critical infrastructure sectors with a particular focus on the smaller organizations that lack the resources for a robust cybersecurity plan.
“The [cybersecurity performance goals] can be thought of as a bit of a quick-start guide,” CISA Director Jen Easterly told reporters on Thursday. “Really a place to start to drive, prioritize investment for the most critical practices across both IT and OT.”
President Biden’s April 2021 memorandum on industrial control cybersecurity called for the goals. The memo directed both CISA and the National Institute for Standards and Technology to develop baseline cybersecurity practices, which will not override existing regulatory mandates.
Easterly said that the goals should be useful particularly for small and medium sized businesses that are often under-resourced. CISA is also releasing a checklist that prioritizes performance goals based on cost, impact and complexity, Easterly said.
The performance goals are expected to be used in concert with the NIST Cybersecurity Framework.
CISA officials lauded the work of the operational technology community to ensure the performance goals considered the unique challenges of industrial cybersecurity.
“It’s an area where we’re really proud of,” said Eric Goldstein, executive assistant director at CISA. “A few months ago, we stood up our new Joint Cyber Defense Collaborative ICS Group, the JCDC-ICS, that contains many of the nation’s leading ICS and OT, manufacturers, vendors, and cybersecurity companies, and they were absolutely invaluable in this work of providing us with a detailed and candid on the ground sense of what works and doesn’t work.”
Goldstein continued: “that was really the most robust lines of collaboration throughout the whole process that led to this point.”
The baseline goals are just the first step. CISA is planning to develop more specific goals for each sector. CISA also released the goals on the development platform GitHub for additional comment and feedback.