What is Cross-Sector Cyber Security Performance Goals?

Overview

In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. 

This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.  

The CPGs are a prioritized subset of information technology (IT) and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people. 

The CPGs are intended to be:

• A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.  
• A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.  
• A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.  
• Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.   

CPGs and Cyber Security Framework (CSF):

The CPGs emphasize desired, measurable outcomes rather than prescriptive processes, techniques, or procedures. This approach leads to defined results without specific directions regarding how those results will be obtained. It empowers asset owners and operators with the flexibility to implement the technologies and practices that work best with their company or facility. The Cyber Security Framework (CSF) is used as a subcategory within the Cyber Performance Goals (CPGs) functional-alignment map.  Namely, it incorporates the 5 NIST elements:

• Identify
• Protect
• Detect
• Respond
• Recover

How and Why Sicura?

At its core, implementing security hardening of infrastructure assets and applications ensures a layer of protection using the “defense-in-depth” approach within cyber security. Sicura’s product offering through the use of compliance scanning using different benchmarks and compliance standards helps organizations align closely with the NIST Cybersecurity Framework and as such the Cross-Sector Security Performance Goals initiated by the President.

For more information about Sicura, their product offering and how that can help your organization reach out to hello@sicura.us or through our Contact Us page.