CISA sets voluntary cyber performance targets for critical infrastructure

Cybersecurity and Infrastructure Security Agency Director Jen Easterly testifies before House committee in April 2022.

Cybersecurity and Infrastructure Security Agency Director Jen Easterly testifies before House committee in April 2022. Kevin Dietsch/Getty Images

A new set of documents and resources from the agency is designed to help critical infrastructure operators manage the basics of cybersecurity.

The Cybersecurity and Infrastructure Security Agency wants private sector critical infrastructure providers to meet basic cybersecurity hygiene guidelines in their operations. A set of voluntary cybersecurity performance goals released by the agency on Thursday sets out targets for identity, device and network security as well as guidelines for operational technology systems, incident response, cyber training, governance and secure acquisition.

The documents are intended as "a set of baseline cybersecurity goals" across all critical infrastructure sectors meant to address "medium-to-high impact cybersecurity risks," CISA Director Jen Easterly said in a statement on Thursday. 

The voluntary goals aren't meant to be fully comprehensive but they are designed to "capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors." These practices range from basics like multi-factor authentication and password strength to areas more specifically applicable to critical infrastructure, such as the need to keep operational technology assets off the public internet whenever possible. 

CISA also recommends that every critical infrastructure provider across all sectors have a single leader who is "responsible and accountable for cybersecurity" within their organization. The agency said it plans to work with critical infrastructure partners to continue developing sector-specific goals in the coming months.

The package released by CISA also includes a checklist to help cybersecurity workers track their progress in meeting the targets and a spreadsheet that drills into the specific supporting documentation from the National Institute of Standards and Technology and other sources as well as public-facing resources from CISA on known exploits, incident reporting and more.

"CISA took extensive input and feedback from industry stakeholders and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance - exactly the type of support the community has been requesting," said Robert M. Lee, CEO and co-founder of cybersecurity vendor Dragos. "This guidance can help lift industrial cybersecurity standards across the board to better protect our nation’s critical infrastructure."

The goals are an outgrowth of a 2021 presidential national security memorandum  requiring DHS to establish sector-specific performance goals for critical infrastructure. The agency also launched a discussion page alongside the new goals to solicit feedback and input on future recommendations for sector-specific critical infrastructure recommendations.

Homeland Security Secretary Alejandro Mayorkas said in a statement that the new goals "will help organizations decide how to leverage their cybersecurity investments with confidence that the measures they take will make a material impact on protecting their business and safeguarding our country."