Key Takeaways:
- The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Cross-Sector Cybersecurity Performance Goals (CPGs) to version 2.0, incorporating three years of operational insights and addressing emerging threats.
- The updated CPGs include a new "Govern" category, consolidated IT and OT goals, and new goals focused on supply-chain risks, zero-trust architecture, and incident-response communications.
- The changes aim to promote accountability, improve risk management, and support strategic cybersecurity governance across sectors.
- CISA made the changes based on feedback from hundreds of stakeholders in government and industry.
- The updated CPGs provide clearer language on implementation, improved descriptions of each goal’s cost, impact, and difficulty level, and remove underutilized goals.
Introduction to CISA’s Updated CPGs
The Cybersecurity and Infrastructure Security Agency (CISA) has released an updated list of goals, known as the Cross-Sector Cybersecurity Performance Goals (CPGs), to help critical infrastructure operators protect their systems from hackers. Version 2.0 of the CPGs incorporates three years of operational insights and addresses emerging threats through data-driven, actionable guidance. The updates aim to promote accountability, improve risk management, and support strategic cybersecurity governance across sectors. The CPGs are designed to provide organizations with measurable objectives, break down silos between IT and OT, and help business leaders make strategic cybersecurity investments.
Changes and Improvements in Version 2.0
The updated CPGs include several significant changes, including the addition of a new "Govern" category, which emphasizes the importance of business leaders’ involvement in overseeing cybersecurity. The IT and OT goals have been consolidated, and new goals have been added to focus on supply-chain risks, zero-trust architecture, and incident-response communications. The language used in the CPGs has been clarified to make it easier for organizations to implement the goals. Additionally, the updated CPGs provide improved descriptions of each goal’s cost, impact, and difficulty level, making it easier for organizations to prioritize and plan their cybersecurity efforts. Three goals that were previously standalone have been removed, as they were found to be confusing or underutilized.
Development and Feedback
The changes to the CPGs were made based on feedback from hundreds of stakeholders in government and industry. Madhu Gottumukkala, CISA’s acting director, stated that the updates demonstrate the agency’s commitment to listening to and incorporating partner feedback to deliver practical, outcome-driven guidance. The feedback was used to refine the CPGs and ensure that they are relevant and effective in addressing the evolving cybersecurity landscape. The updated CPGs are designed to be actionable and provide organizations with a clear understanding of what they need to do to improve their cybersecurity posture.
Background and Context
The original cross-sector CPGs were released by CISA in late 2022, with the goal of providing all critical infrastructure organizations with a clear, uniform set of security expectations. Since then, CISA has developed sector-specific CPGs for information technology and chemicals, and other agencies have developed goals for healthcare and energy. CPGs for the financial sector are currently in development. The CPGs are intended to provide organizations with a framework for improving their cybersecurity and reducing the risk of cyber attacks. By following the CPGs, organizations can ensure that they are taking a proactive and comprehensive approach to cybersecurity, and that they are well-equipped to respond to emerging threats.
Conclusion and Next Steps
The updated CPGs represent a significant step forward in CISA’s efforts to improve cybersecurity across critical infrastructure sectors. The changes and improvements in version 2.0 demonstrate the agency’s commitment to listening to feedback and refining its guidance to ensure that it is relevant and effective. As the cybersecurity landscape continues to evolve, it is essential that organizations stay up-to-date with the latest guidance and best practices. The updated CPGs provide a valuable resource for organizations looking to improve their cybersecurity posture and reduce the risk of cyber attacks. By following the CPGs and staying informed about emerging threats and trends, organizations can help to ensure the security and resilience of critical infrastructure.
