On March 21, 2023, the United States Cybersecurity and Infrastructure Security Agency (“CISA”) announced the issuance of updated Cybersecurity Performance Goals (“CPGs”).  The CPGs, which were originally released in October 2022, are intended to establish a set of fundamental cybersecurity practices to be voluntarily implemented by critical infrastructure owners and operators across all critical infrastructure sectors.  The CPGs apply to both information technology (“IT”) and operational technology (“OT”) and are designed to reduce risk related to known, high-impact cyber threats and adversarial tactics, techniques, and procedures (“TTPs”).

Overview.  The National Security Memorandum (the “Memorandum”) signed by President Biden in July 2021 directed the development of the CPGs to establish “a common understanding of the baseline security practices that critical infrastructure owners and operators should follow.”  Consistent with the requirements of the Memorandum, the CPGs were developed by CISA in coordination with other U.S. government agencies, including the National Institute of Standards and Technology (“NIST”).  The recent update more closely aligns the CPGs with the NIST Cybersecurity Framework (“CSF”) functions.  According to CISA, the updated CPGs are designed to provide a baseline that critical infrastructure entities, especially “small- and medium-sized organizations,” can employ to “kickstart their cybersecurity efforts” and “meaningfully reduce the likelihood and impact of known risks and adversary techniques.”  CISA notes that the CPGs are not intended to be “comprehensive” but, instead, are intended to capture a “core set” of practices “with known risk-reduction value [that are] broadly applicable across sectors.”

CPG Practices.  There are 38 CPGs in total.  Each CPG includes a corresponding “outcome,” which reflects the ultimate goal that each CPG seeks to enable, the risk or adversarial TTP that each CPG addresses, the scope of each CPG (e.g., whether it is intended to apply to IT, OT, or both), and the recommended action for each CPG.  The CPGs are unevenly divided among the corresponding NIST CSF functions:  9 are classified under Identify and 24 are classified under Protect, with the remaining 5 divided between Detect (1), Respond (3), and Recover (1).

CPG Resources.  CISA provides a range of resources designed to assist entities who seek to implement the CPGs, including a CPG Worksheet to help entities prioritize, track, and communicate regarding CPG implementation and a CPG Full Data Matrix, which provides the details of each CPG and mappings to other cybersecurity standards, including NIST Special Publication 800-53 and the International Organization for Standardization and International Electrotechnical Commission (“ISO/IEC”) 27001.  The Worksheet and Matrix also provide cost, complexity, and impact information for each CPG, which is designed to help organizations prioritize and develop an investment strategy for implementation.

Looking Ahead.  The release of updated CPGs comes on the heels of the Biden Administration’s publication of the National Cybersecurity Strategy (“Strategy”) on March 2, 2023.  Notably, the CPGs themselves were referenced within the first objective of Pillar One of the Strategy—Establish Cybersecurity Requirements to Support National Security and Public Safety.  While the Strategy refers to the CPGs as a key example of the Administration’s focus on critical infrastructure regulation that is voluntary and performance-based, critical infrastructure owners and operators should remain mindful that mandatory incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) are approaching and will take effect by September 2025, if not sooner.  Accordingly, critical infrastructure owners and operators who may eventually be covered entities under CIRCIA could benefit from evaluating and, if warranted, working to implement the CPGs, especially those related to incident response, ahead of CIRCIA’s mandatory incident reporting requirements.  However, it will likely remain unclear exactly what critical infrastructure organizations will be deemed covered entities under CIRCIA until CISA promulgates its Notice of Proposed Rulemaking sometime within the next year.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Photo of John Webster Leslie John Webster Leslie

Web Leslie advises clients on a broad range of risks, challenges, and opportunities at the intersection of technology and security, including on matters of cybersecurity, critical infrastructure, national security, and data privacy.

As a part of his investigations practice, Web helps clients navigate…

Web Leslie advises clients on a broad range of risks, challenges, and opportunities at the intersection of technology and security, including on matters of cybersecurity, critical infrastructure, national security, and data privacy.

As a part of his investigations practice, Web helps clients navigate complex civil and criminal investigations related to cyber and national security, including under the False Claims Act, FTC Act, and state equivalents. His practice also includes helping clients manage internal investigations related to cyber compliance and insider threat risks. Web also routinely advises clients throughout all stages of incident response and breach notification arising from nation-state activity, sophisticated criminal threat actors, and other cyber threats.

On compliance matters, Web assists clients across numerous industries, including in healthcare, financial services, telecommunications, technology, transportation, manufacturing, food and beverage, and insurance, to address the ever-expanding regulatory landscape. He advises on various issues including: statutory and contractual security requirements, cybersecurity guidance and best practices, cyber maturity assessments, incident preparedness, critical infrastructure risks, third-party risk management, and international cyber regulations, among others. Web’s regulatory practice also includes public policy advocacy related to cyber regulation and national security policy.

In addition to his regular practice, Web counsels pro bono clients on technology, immigration, and criminal law matters.

Web previously served in government in different roles at the Department of Homeland Security, including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.