Cross-Sector Cybersecurity Performance Goals (CPGs)
The CPGs are intended to be:
- A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
- A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
- A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
- Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.
The CPGs are:
- Voluntary. The National Security Memorandum does not create new authorities that compel owners and operators to adopt the CPGs or provide any reporting regarding or related to the CPGs to any government agency.
- Not Comprehensive. They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.
In an effort to accelerate adoption of essential actions to improve cybersecurity across the nation’s critical infrastructure providers, the CPGs recommend an abridged subset of actions – a kind of “QuickStart guide” – for the NIST Cybersecurity Framework (CSF). NIST’s CSF enables organizations to develop a comprehensive, risk-based cybersecurity program and enumerates a holistic set of categorized actions that can be taken to reduce an organization’s cyber risk and quickly respond to and recover from incidents. While the CPGs are mapped to corresponding subcategories in the NIST CSF, CISA still recommends that organizations use NIST CSF to design and mature a comprehensive cybersecurity program.
The baseline goals are just the first step. CISA is planning to develop more specific goals for each sector.
The Cross-Sector Common Baseline CPGs document (see link below) describes these goals providing a select list of attestable goals to reduce cyberthreat to your organization. The CPG Checklist is to be used in tandem with the CPGs to help prioritize and track your organization’s implementation.