Key Takeaways:
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published updated Cybersecurity Performance Goals (CPG 2.0) to help critical infrastructure owners and operators achieve a foundational level of cybersecurity.
- CPG 2.0 includes measurable actions for critical infrastructure owners and operators to protect themselves against cyber threats, with a focus on governance, risk management, and strategic integration of cybersecurity into day-to-day operations.
- The updated guidelines emphasize the importance of accountability, risk management, and strategic integration of cybersecurity into day-to-day operations, and provide clear, foundational practices aligned with real-world threats.
- CPG 2.0 is built on the six functions of Govern, Identify, Protect, Detect, Respond, and Recover, and provides a baseline for guiding investment, benchmarking progress, and reducing risk in measurable ways.
- The guidelines are voluntary, but provide high-impact security actions that outline the highest-priority baseline that measures businesses and critical infrastructure owners can take to protect themselves against cyber threats.
Introduction to CPG 2.0
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published updated cross-sector Cybersecurity Performance Goals (CPG 2.0) with measurable actions for critical infrastructure owners and operators to achieve a foundational level of cybersecurity. The update incorporates lessons learned, aligns with the most recent National Institute of Standards and Technology (NIST) Cybersecurity Framework revisions, and addresses the most common and impactful threats facing critical infrastructure. The CPG 2.0 measures are built on the six functions of Govern, Identify, Protect, Detect, Respond, and Recover, and provide clear, foundational practices aligned with real-world threats.
The Importance of Governance
The CPGs 2.0 emphasize the essential role of governance in managing cybersecurity, with a focus on accountability, risk management, and strategic integration of cybersecurity into day-to-day operations. The ‘Govern’ function involves establishing clear structures and processes to manage risks and ensure accountability across the organization. Roles, responsibilities, and authorities related to the organization’s cybersecurity program must be well defined, communicated, and enforced. This ensures alignment within the organization and with external partners to address cybersecurity risks. Cybersecurity oversight should be managed at the highest level of the organization, with the necessary resources, authority, and visibility to ensure that cybersecurity policies and practices are consistently followed.
Identifying and Managing Cybersecurity Risks
The ‘Identify’ function focuses on understanding and managing the organization’s cybersecurity risks, ensuring that assets, vulnerabilities, and controls are properly accounted for. Organizational assets must be carefully managed to ensure they are adequately protected and align with the organization’s overall risk management strategy. Known vulnerabilities should be mitigated through proactive measures, including regular patching, system updates, and security enhancements, to minimize potential exposure. Independent validation of cybersecurity controls is necessary to confirm that the security measures in place are effective and meet the required standards, providing an additional layer of assurance.
Protecting Against Cyber Threats
The ‘Protect’ function focuses on implementing safeguards that limit or contain the impact of cybersecurity events across the organization. Default passwords should be changed immediately to reduce exposure to common attacks, and minimum password strength requirements must be enforced to prevent weak credentials. The CISA CPGs 2.0 call for unique credentials to be created for each user and system to avoid shared access risks, and credentials for departing staff must be promptly revoked to prevent unauthorized access. Organizations should actively monitor unsuccessful and automated login attempts to detect early signs of intrusion and abuse. Multi-factor authentication should be implemented wherever possible to add a layer of security beyond passwords alone.
Detecting and Responding to Cybersecurity Incidents
The ‘Detect’ function focuses on identifying cybersecurity events in a timely and reliable manner to limit potential impact. Organizations should establish malicious code detection capabilities to identify malware, ransomware, and other forms of malicious activity before they can spread or cause damage. The ‘Respond’ function focuses on taking coordinated action once a cybersecurity incident has been detected. Organizations should establish clear incident communication procedures to ensure that the right stakeholders are informed in a timely and consistent manner during an event. Incident reporting procedures must also be defined and enforced so that security incidents are documented, escalated, and addressed according to established policies, regulatory requirements, and operational priorities.
Recovering from Cybersecurity Incidents
The ‘Recover’ function focuses on restoring systems, operations, and services following a cybersecurity incident. Organizations should maintain incident planning and preparedness processes that support timely recovery, ensure continuity of operations, and incorporate lessons learned to strengthen resilience against future disruptions. The CPG 2.0 provides a baseline for guiding investment, benchmarking progress, and reducing risk in measurable ways. By following these guidelines, critical infrastructure owners and operators can achieve a foundational level of cybersecurity and protect themselves against cyber threats.
Conclusion
In conclusion, the CISA CPG 2.0 provides a comprehensive framework for critical infrastructure owners and operators to achieve a foundational level of cybersecurity. The guidelines emphasize the importance of governance, risk management, and strategic integration of cybersecurity into day-to-day operations. By following the six functions of Govern, Identify, Protect, Detect, Respond, and Recover, organizations can protect themselves against cyber threats and ensure the continuity of their operations. The CPG 2.0 is a valuable resource for organizations looking to improve their cybersecurity posture and reduce the risk of cyber attacks.
:max_bytes(150000):strip_icc()/wake-up-dead-man-knives-out-mystery-daniel-craig-2-121225-71f42c79c6f84a848e755e93b0185c1d.jpg?w=300&resize=300,300&ssl=1 "Rian Johnson Gives Update on ‘Knives Out’ Sequel")
