In today’s cybersecurity landscape, ensuring the implementation of best practices is essential for a resilient critical infrastructure where negative public impact is minimized when an event occurs. The Cybersecurity and Infrastructure Security Agency (CISA) has developed Cross-Sector Cybersecurity Performance Goals (CPGs) to help organizations prioritize their cybersecurity efforts. In this post we’ll take a closer look at the how the CPGs relate to the Cybersecurity Framework (CSF) Functions, their importance, and finally how CPGs complement the concept of Cybersecurity Performance Management (CPM)™ to effectively manage and strengthen cybersecurity posture and resilience.
Cybersecurity Performance Goals & NIST’s Cybersecurity Framework
CPGs are organized to work with the six National Institute of Standards and Technology’s (NIST) CSF Functions:
- Govern: Establishing, communicating, and monitoring the organization’s cybersecurity risk management strategy, expectations, and policy.
- Identify: Understanding the organization’s current cybersecurity risks.
- Protect: Implementing safeguards to manage cybersecurity risks.
- Detect: Identifying and analyzing possible cybersecurity attacks and compromises.
- Respond: Taking actions regarding detected cybersecurity incidents.
- Recover: Restoring assets and operations affected by cybersecurity incidents.
CISA’s CPGs are a subset of prioritized cybersecurity practices selected through extensive consultation with industry experts, government agencies, and other stakeholders. These voluntary goals are designed to reduce risks to critical infrastructure and the American public. According to CISA the CPGs are intended to be:
- A Baseline Set of Practices: Broadly applicable across critical infrastructure with proven risk-reduction value.
- A Benchmark for Maturity: Helping critical infrastructure operators measure and improve their cybersecurity maturity.
- Recommended Practices: Providing a prioritized set of security practices for both information technology (IT) and operational technology (OT) owners.
- Nationwide Risk Consideration: Addressing risks to individual entities and the aggregate risk to the nation.
Initially the CPGs were met with pushback according to an article from Government Technology published back in 2022, “some groups felt the goals were too prescriptive, while others said that these lists did not embrace (or align with) the National Institute of Standards and Technology (NIST) Cybersecurity Framework.”
However, if you take a closer look at CISA’s website, CPGs are aligned with the National Institute of Standards and Technology’s (NIST) CSF functions, and they are being updated to reflect NIST’s CSF 2.0.
Sector-Specific Cybersecurity Performance Goals
CISA has developed sector-specific goals in collaboration with each sector’s Sector Risk Management Agency (SRMA) and industry organizations. These goals provide additional practices to achieve a higher level of security tailored to the unique needs of each of the 16 Critical Infrastructure sectors. The sector-specific goals are being released in phases, with the first set available since spring 2024 (Energy, Financial Services, IT, and Chemical Sectors). Some goals were developed collaboratively but published by the SRMA.
Why Use CISA’s CPGs
Implementing CISA’s CPGs helps enhance their overall security by establishing a prioritized common foundation that reduces vulnerabilities to cyber threats. The structured approach of CPGs aids in proactive risk management, helping organizations prevent significant disruptions and financial losses. Furthermore, these goals support regulatory compliance, minimizing the risk of penalties and legal issues.
The CPGs emphasize the importance of having effective incident response and recovery plans, enabling companies to quickly handle cyber incidents and minimize operational impact. Investing in preventive cybersecurity measures guided by CPGs proves to be more cost-effective compared to managing the aftermath of cyberattacks. Adopting these goals also boosts public trust and reputation by demonstrating a commitment to strong cybersecurity practices, thereby enhancing trust among customers, partners, and stakeholders.
Moreover, the sector-specific guidance offered by CPGs ensures organizations implement the most relevant and effective cybersecurity measures for their unique environments and threats. CPGs are designed to be scalable and adaptable, making them suitable for organizations of varying sizes and maturity levels.
Using Cybersecurity Performance Management (CPM) to Assist with CPGs
TDI’s CPM framework can significantly aid organizations to achieve intended outcomes by ensuring CPG “Recommended Actions” are implementing and consistently managed throughout their journey as they baseline and mature.
The CPM framework assists in conducting comprehensive gap analyses to determine the current cybersecurity posture compared to CPGs, establishing baseline metrics, and developing detailed action plans to address identified gaps. With a CPM automation platform such as CnSight® organizations have real-time monitoring capabilities, ensuring all measures are effectively executed, and progress is tracked over time.
CPM enables organizations to set up key performance indicators (KPIs) aligned with CPGs, generating automated reports that provide insights into cybersecurity performance. It fosters continuous improvement by establishing a feedback loop, allowing regular review of performance data and refining strategies based on evolving threats and lessons learned.
Risk management reduction is another critical area where CPM proves valuable. CPM helps evaluate potential threats and vulnerabilities, prioritize remediation efforts, and ensure compliance with regulatory requirements by mapping CPGs to relevant standards.
Adopting CISA’s Cross-Sector Cybersecurity Performance Goals provides organizations with a comprehensive framework for enhancing their cybersecurity posture, managing risks, complying with regulations, and contributing to national security efforts. By leveraging CPM, organizations can systematically implement, track, and improve their cybersecurity practices, ensuring enhanced resiliency through visibility around priority security practices designed to protect critical infrastructure.
