Cybersecurity is an ever-evolving field with both threats and defensive approaches changing rapidly in the face of advances in technology and the behavior of attackers. No one is beyond the reach of these threats, and as such, organizations of all shapes and sizes must have the tools and guidance they need to manage and minimize risk to their operations.

Never before has that guidance been more important, and with that in mind, the Cybersecurity and Infrastructure Security Agency (CISA) has released the Cross-Sector Cybersecurity Performance Goals (CPGs).

These goals represent a subset of cybersecurity practices, selected to significantly and directly reduce risk

What Is CISA?

CISA is a federal agency within the Department of Homeland Security charged with leading and coordinating cybersecurity strategies and operations for the United States government and critical infrastructure. This agency works in collaboration with both private and public entities, allowing them unique insight into the state of cybersecurity and the threat landscape,

Now, they’ve also come together with the National Institute of Standards and Technology (NIST) and used input from industry experts to identify the most common and impactful threats.

This knowledge resulted in the development of the CPGs.

What Are Cross-Sector Cybersecurity Performance Goals (CPGs)?

The CPGs are a prioritized set of cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. The CPGs are meant to be optional and can be adopted by organizations that would like to enable the prioritization of security investments. They can also be combined with broader frameworks like the NIST CSF.

This results in organizations, especially small and medium-sized organizations, getting the help they need to quickly identify and implement basic cybersecurity practices.

How Are the CPGs Different From Other Standards?

Plenty of existing cybersecurity guidance and frameworks exist, such as the NIST Cybersecurity Framework. CISA and the Department of Homeland Security support the adoption of the NIST CSF by every organization, as it helps to build a holistic risk management program and implement additional NIST controls.

The CPGs, however, are intended to serve as a quick-start guide, helping organizations with limited resources or less mature cybersecurity programs to not only identify the most important security investments quickly but also help in communicating the importance of those investments to executives.

And, of course, the CPGs are mapped to the NIST CSF, so no additional work is needed to implement the relevant CPGs if your organization has already adopted the NIST CSF.

What Topics Are Covered by the CPGs?

The CPGs provide a useful guide for organizations to improve their security posture. But what specific topics do they cover?

The goals are spread out amongst 6 main distinct areas offering a wide breadth of topics. These areas include:

• Account Security

• Device Security

• Data Security

• Governance and Training

• Vulnerability Management

• Supply Chain

Within each category, you’ll find specific goals designed to help organizations protect their assets and data, with a focus on preventing, detecting, and responding to cyber incidents.

There is also a bonus “Other” area that covers outlier scenarios.

What Are Some Examples of the Goals?

Within these wide-ranging categories, you’ll find a wealth of specific goals, broken down into tangible, achievable tasks. Here are a few examples of goals at a glance:

• Implementing physical protection measures

• Protecting technology assets from attack

• Using improved logs and encryption to protect sensitive data

• Revoking access for departing employees

• Separating user and privileged accounts

• Reducing the risk of exploitation of public-facing assets

• Understanding and implementing cyber security best practices

• Building stronger relationships between IT and OT cybersecurity

• Response and recovery for cybersecurity incidents

These are amazing goals that every organization should consider to keep their data and assets safe. They, at a minimum, represent a baseline of security best practices to protect organizations from cyber threats.

Remember, the CPGs are not mandated by CISA, but rather provide a minimum baseline of cybersecurity practices that organizations should consider.

Check Out The Full List

The CPGs provide a minimum baseline of security best practices for any organization but are especially helpful for smaller organizations or those with limited resources. If you’re looking to improve your security posture and need a quick start guide to get you on your way, the CPGs can help streamline the process and get you up to speed quickly.

Be sure to check out the full list of CPGs to understand more about the goals in each category and begin working with your team to implement them.

We’ll Help You Meet And Exceed Your Cybersecurity Goals With The Best Security Solutions!

Do you require assistance in determining the best course of action for your cybersecurity requirements?

We can help.

If you currently have an IT team, or are starting from scratch, we can give you insight into our industry knowledge so you can create future-proof cybersecurity solutions.

If you need help or advice, we’re here to help! Contact us today and let us help you get started.