Will Voluntary CISA Cyber Goals Be Enough to Protect Critical Infrastructure?
The Cybersecurity and Infrastructure Security Agency is getting pushback from critical infrastructure owners and operators on cyber goals and objectives. So what happens next?
The Washington Post released an article this week with the headline “Industry groups aren’t thrilled about new cyber ‘performance goals.’”
- Account Security
- Device Security
- Data Security
- Governance and Training
- Vulnerability Management
- Supply Chain/Third Party
- Resilience
- Network Segmentation
- Physical Security
“The CPGs are intended to be:
- A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
- A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
- A combination of best practices for IT and OT owners, including a prioritized set of security controls.
- Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.
- Comprehensive: The CPGs do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.
- Compulsory: National Security Memorandum-5 does not create new authorities that compel owners and operators to adopt the CPGs or provide any reporting regarding or related to the CPGs to any government agency.
- Mitigations must significantly reduce the risk/impact caused by well-known, probable threats and adversary tactics, techniques and procedures (TTPs).
- Measurements must be clear, actionable, prescriptive, easily attestable, and concrete. Binary (yes/no) measurements are preferred.
- Avoid measurements that are scaled, such as “the number of devices with MFA enabled.”
- Good example(s): ‘Establish minimum lengths for passwords, enforced by a systemwide policy on all IT and OT.’ This example is clear, measurable (is there a systemwide minimum password policy or not) and not overly burdensome.
- Poor example(s): ‘Implement Zero Trust.’ While an important and valuable goal, ZT implementations are still poorly defined, hard to measure and can be very burdensome for small organizations.”
WHAT’S NEXT FOR CRITICAL INFRASTRUCTURE PROTECTIONS
The banking industry has mandated many cyber protections, including new reporting of cyber incidents, as I wrote about last December (with enforcement kicking in back in May of this year).
See More Stories by Dan Lohrmann
*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/will-voluntary-cisa-cyber-goals-be-enough-to-protect-critical-infrastructure