The Department of Homeland Security released new cybersecurity performance goals and metrics that are designed to help drive cybersecurity best practices and improvements across different industrial sectors of the economy.
The documents include a list of best practices for securing accounts, devices and data, vulnerability management, governance and the supply chain, as well as a “user friendly” worksheet for owners and operators in critical infrastructure to map their cybersecurity practices to standards developed by the National Institute for Standards and Technology and plan new investments.
According to DHS officials, the Cybersecurity and Infrastructure Security Agency developed the goals after engagement with hundreds of private sector entities, thousands of public comments and data drawn from years of cyber incidents. While it was initially crafted for critical infrastructure, officials claim the guidance is also broadly applicable to many other private sector companies.
Many of the conclusions in the documents touch on themes that CISA has emphasized repeatedly over the years: most organizations don’t have fundamental security protections in place, small and medium-sized businesses consistently face major challenges with their cybersecurity maturity and budgets, and operational technology is a rising attack surface that has traditionally been ignored and cybersecurity standards across different sectors are inconsistent or poor.
"These are really a watershed moment in providing easy, accessible, prioritized menu of options for businesses to advance their cybersecurity in an increasingly threatening environment," Secretary of Homeland Security Alejandro Mayorkas told reporters in a briefing Thursday morning.
The performance goals are part of a series of security mandates and voluntary initiatives kicked off by the Biden administration through a national security memorandum signed in 2021 meant to improve cybersecurity support and resources to critical infrastructure and the industrial control systems they operate. It's part of a larger push the administration has made around cyber policy since coming into office. They’re designed to be easy to understand, affordable to implement and “significantly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary TTPs.” According to CISA, they will continue to take feedback on the document and be update it every 6-12 months.
Like nearly everything CISA does, the guidelines are voluntary, and Easterly told SC Media and other reporters that implementation would be driven through multiple channels the agency has set up to interact with the private sector and critical infrastructure, including through the Joint Cyber Defense Collaborative, engagement with regional offices and a "reenergized" Federal Senior Leadership Council, which is made up of agencies with sector-specific cybersecurity oversight responsibilities and is chaired by CISA.
CISA has also set up a GitHub page to receive additional feedback, and Easterly said the agency plans to work with critical infrastructure to develop sector specific goals in the coming months.
Funding will be another issue, particularly for "target rich, resource poor" organizations like small businesses and entities in the water or healthcare sectors who commonly lack resources to secure their IT and OT. Easterly pointed to a billion dollar federal grant program for state and local cybersecurity announced in September as one potential vehicle for private companies to fund their efforts.
"This grant money can be used to help implement the [guidance] in those target-rich, resource-poor entities so and I'm particularly focused...on K-12 school districts, on water facilities that are under resourced from a cybersecurity perspective, on hospitals, and so we're going to be working with our partners across the government in the cross sector to help them leverage some of the new grant money to apply to the implementation of these cybersecurity performance goals," said Easterly.
But Eric Goldstein, executive assistant director for CISA, also said the agency took pains to get feedback from industry in order to focus on improvements and guidance that would cost little - and in some cases no - money to implement. While some of the recommended actions would require spending money, he said they tried to focus on identifying security outcomes and actions that could be implemented "very affordably" and noting where CISA may offer free services or references that can help organizations implement the goals.
In terms of potential outcomes of the performance goals, Goldstein pointed to governance improvements, through such things as incident response plans, for example, as well as technical ones, "like changing default passwords, like establishing minimum password lanes, like disabling macros by default, which are really just configuration changes that any entity should be able to do with minimal, marginal costs."
In order to garner widespread adoption, CISA and the federal government will be relying on a wide variety of private sector stakeholders to implement the new protections. Robert Lee, CEO of threat intelligence firm Dragos, which has an extensive presence in many critical infrastructure sectors, praised the level of effort the government made engaging with the private sector ahead of the release, as well as the tight mapping of the goals to critical controls for operational technology environments.
"CISA took extensive input and feedback from industry stakeholders and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance - exactly the type of support the community has been requesting," Lee said in a statement. "It allows asset owners and operators to work towards shared goals while giving them the flexibility and expertise to implement them in ways best suited to their organizations and risks."
The reaction from others underscore that further work is likely needed to expand the reach of the initiative.
Ari Schwartz, executive director of the Cybersecurity Coalition, a non-profit policy shop that counts companies like Google, Microsoft, Citrix and Intel as members, said his group appreciates CISA's "hard work under tight timelines" to complete the guidance but pointed to a need for additional alignment between the goals and other government cybersecurity standards.
"It is clear that the main thing that stakeholders have been asking for, organization around the NIST Cybersecurity Framework Categories, still needs some work," said Schwartz, who also worked as special assistant to President Barack Obama as senior director of cybersecurity on the National Security Council. "CISA has told us that their future efforts on the Performance Goals will address this issue and we look forward to working with them to ensure that organizations are most efficiently able to use this product.”