Thursday, October 27, 2022

Review - Cybersecurity Performance Goals for CI

Today, CISA announced the publication of “New Cybersecurity Performance Goals for Critical Infrastructure” which include “voluntary practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats.” While this document {Cross-Sector Cybersecurity Performance Goals (CPG)} was produced by CISA, they have been working with a variety of private sector organizations and individuals (an impressive list on the last page of the document) in developing these voluntary practices.


CISA is continuing to try to treat cybersecurity as something that they can convince critical infrastructure to accomplish if they just provide enough guidance. This continues the admittedly good work that NIST did with developing the Cybersecurity Framework. Where the CSF was at heart a cyber threat management document, these CPG attempt to provide more emphasis on the cybersecurity activities that would help organizations reduce the cyber threat currently facing critical infrastructure.

The problem remains that, of necessity, the recommended actions are broadly enough written that it may not be clear to non-technical managers whether or not they have actually been adequately applied. Nor is it going to be easy for even technical managers to ensure that they have been even inadequately applied to all of the potentially affected devices in an organization.

Of course, the same problems would apply if this were a cybersecurity mandate instead of a voluntary program. CISA certainly does not have enough personnel (forget trained personnel) to conduct an adequate compliance inspection team. Even requiring third-party compliance verification would require a workforce that would cut into the personnel necessary to implement the requirements. So much for easy answers.

The problem could be made more manageable if CISA were able to designate a small set of especially critical infrastructure organizations who would, in-turn, identify mission critical resources that would be subject to mandatory cybersecurity controls.


For more details about the CPG and supporting documentation see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */