The recent US national security community memorandum on Cross-Sector Cybersecurity Performance Goals (CPG) addresses risks to the nation and individual entities. This is a big shift from other well-known baseline documents, such as the CIS Benchmarks or the NIST Security Guidance. This is a starting point to ensure organizations are all starting on the same footing. CISA spells this out on the same page when they describe what the CPGs are.
The goals provide consistency across all critical infrastructure. The primary webpage for these goals gives us a great understanding of what they are (and are not). The goals are voluntary and do not create new authorities mandating adoption or providing reporting regarding the CPGs to any agency. They do not identify all cybersecurity practices needed, but capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.
- A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
- A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
- A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
- Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.
Voluntary benchmarks are great, but they don’t necessarily have the same adoption as mandatory certifications.
What is included in the CPGs?
The selection criteria for each goal significantly and directly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary Tactics, Techniques, and Procedures (TTPs.) They are clear, actionable, easily definable, and not cost-prohibitive for even small- and medium-sized entities to successfully implement.
We’re simplifying to the basics and, as we’ve seen time and time again, a lot of organizations are breached because they forget about the basics. As you dig into the sections the CPGs are split into and think about the fact that the goal was something straightforward and not cost-prohibitive that isn’t comprehensive, it seems like a decent initial target was selected. Once you start to break these down, you will appreciate the depth the document covers.
CPG Sections
Most of these categories are commonplace in various benchmarks, policies, and certifications, and the guidance within them is exactly what you would expect. Account Security is focused on password policies and MFA. They did not include a password aging policy as it is no longer applicable in the majority of situations. Device Security looks at asset management, documented device configuration, a hardware and software approval process.
Data Security covers logging and encryption, while Governance and Training looks at training and corporate leadership on a granular level. For example, Section 4.5, Improving IT and OT Cybersecurity Relationships, suggests throwing a pizza party or social gathering at least once a year to improve relationships between those in IT and OT cybersecurity. Silos are all-too-common in many industries, and IT and OT cybersecurity truly suffer from this. To my knowledge, it is the first time that this has been called out in any published guidance.
The Vulnerability Management section was larger than I expected it to be, and the breakdown here is fantastic. I’ve spent most of my career in the vulnerability management space and I was really excited to see what they had in here. From references to limiting your external attack surface, to mitigating known vulnerabilities, there are a lot of great recommendations. Pointing out that security researchers are protected under Safe Harbor rules and recommending the use of a security.txt file based on RFC9116 was a nice touch that you rarely see in this type of guidance.
Missed opportunity
Software Bill of Materials (SBOMs) were not referenced in the Supply Chain / Third Party section. Given that SBOMs are another CISA initiative, it may be a missed opportunity. They do mention important things, however, like specifying the vendor/supplier cybersecurity requirements, and establishing supply-chain incident reporting and vulnerability disclosure. Response and Recovery covering incident reporting and response plans, system backups, and a documented network topology. The documented network topology adds a nice touch.
The CPGs finish off with a grab bag called Other. Network segmentation, detecting relevant threats and TTPs, and email security could have all used additional discussion in the document, especially since email security seems to have multiple bullet points merged together.
The initial packet includes the details discussed, recommended actions, a worksheet for assessment, and an excel document mapping to the NIST Cybersecurity Framework, NIST SP 800-53, ISA 62443, ISO 27001. Overall, this is a great start from CISA and a great baseline for businesses to implement.