CISA Issues Revised Cybersecurity Performance Goals

March 23, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA) released an updated version of its Cybersecurity Performance Goals (CPGs), a set of voluntary practices that critical infrastructure organizations may adopt to mitigate cyber risk.

CISA initially released the CPGs in October 2022 in response to President Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The updated version has been reorganized according to stakeholder feedback.

The CPGs are now more closely aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) functions (Identify, Protect, Detect, Respond, and Recover) to help organizations more easily navigate the CPGs and prioritize investments accordingly.

“The CPGs are a prioritized subset of information technology (IT) and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA stated.

“The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.”

The CPGs are entirely voluntary and serve as a benchmark for critical infrastructure operators to measures their security maturity. CISA described the CPGs as “not comprehensive,” explaining that they are meant to “capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors” rather than serving as a complete roadmap to security and compliance.   

In addition to closer alignment with the NIST CSF, CISA updated its multifactor authentication (MFA) section to reflect its most recent guidance regarding phishing-resistant MFA. CISA also added a goal to the CPGs based on GitHub feedback to aid in recovery planning, and made modifications to the glossary to reflect content changes.

“Following the release of the CPGs, CISA has taken—and will continue taking—input and welcomes feedback from partners from across the critical infrastructure community,” CISA continued.

Critical infrastructure owners and operators can expect further updates as well as sector-specific CPGs in the future.