On March 21, 2023, the United States Cybersecurity and Infrastructure Security Agency (“CISA”) announced the issuance of updated Cybersecurity Performance Goals (“CPGs”). The CPGs, which were originally released in October 2022, are intended to establish a set of fundamental cybersecurity practices to be voluntarily implemented by critical infrastructure owners and operators across all critical infrastructure sectors. The CPGs apply to both information technology (“IT”) and operational technology (“OT”) and are designed to reduce risk related to known, high-impact cyber threats and adversarial tactics, techniques, and procedures (“TTPs”).
Overview. The National Security Memorandum (the “Memorandum”) signed by President Biden in July 2021 directed the development of the CPGs to establish “a common understanding of the baseline security practices that critical infrastructure owners and operators should follow.” Consistent with the requirements of the Memorandum, the CPGs were developed by CISA in coordination with other U.S. government agencies, including the National Institute of Standards and Technology (“NIST”). The recent update more closely aligns the CPGs with the NIST Cybersecurity Framework (“CSF”) functions. According to CISA, the updated CPGs are designed to provide a baseline that critical infrastructure entities, especially “small- and medium-sized organizations,” can employ to “kickstart their cybersecurity efforts” and “meaningfully reduce the likelihood and impact of known risks and adversary techniques.” CISA notes that the CPGs are not intended to be “comprehensive” but, instead, are intended to capture a “core set” of practices “with known risk-reduction value [that are] broadly applicable across sectors.”
CPG Practices. There are 38 CPGs in total. Each CPG includes a corresponding “outcome,” which reflects the ultimate goal that each CPG seeks to enable, the risk or adversarial TTP that each CPG addresses, the scope of each CPG (e.g., whether it is intended to apply to IT, OT, or both), and the recommended action for each CPG. The CPGs are unevenly divided among the corresponding NIST CSF functions: 9 are classified under Identify and 24 are classified under Protect, with the remaining 5 divided between Detect (1), Respond (3), and Recover (1).
CPG Resources. CISA provides a range of resources designed to assist entities who seek to implement the CPGs, including a CPG Worksheet to help entities prioritize, track, and communicate regarding CPG implementation and a CPG Full Data Matrix, which provides the details of each CPG and mappings to other cybersecurity standards, including NIST Special Publication 800-53 and the International Organization for Standardization and International Electrotechnical Commission (“ISO/IEC”) 27001. The Worksheet and Matrix also provide cost, complexity, and impact information for each CPG, which is designed to help organizations prioritize and develop an investment strategy for implementation.
Looking Ahead. The release of updated CPGs comes on the heels of the Biden Administration’s publication of the National Cybersecurity Strategy (“Strategy”) on March 2, 2023. Notably, the CPGs themselves were referenced within the first objective of Pillar One of the Strategy—Establish Cybersecurity Requirements to Support National Security and Public Safety. While the Strategy refers to the CPGs as a key example of the Administration’s focus on critical infrastructure regulation that is voluntary and performance-based, critical infrastructure owners and operators should remain mindful that mandatory incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) are approaching and will take effect by September 2025, if not sooner. Accordingly, critical infrastructure owners and operators who may eventually be covered entities under CIRCIA could benefit from evaluating and, if warranted, working to implement the CPGs, especially those related to incident response, ahead of CIRCIA’s mandatory incident reporting requirements. However, it will likely remain unclear exactly what critical infrastructure organizations will be deemed covered entities under CIRCIA until CISA promulgates its Notice of Proposed Rulemaking sometime within the next year.