Last week the Cybersecurity and Infrastructure Security Agency released its Cross-Sector Cybersecurity Performance Goals (CPGs), which are a series of voluntary cybersecurity practices that critical infrastructure owners and operators can adopt to reduce cyber vulnerabilities.
According to CISA, the CPGs are merely voluntary guidance for critical infrastructure owners and operators and do not compel any owner or operator to take any action. The CPGs include a baseline set of cybersecurity practices with known risk-reduction value that are broadly applicable across critical infrastructure sectors and represent a benchmark against which critical infrastructure owners and operators can measure and improve their own cyber maturity. The CPGs feature measures relating to account, device, and data security, governance and training, vulnerability management, and other recommended practices for IT and OT owners.
While the CPGs are intended to represent a helpful guide for critical infrastructure owners and operators, CISA warns that they are not comprehensive and do not identify all the cybersecurity practices necessary to protect national and economic security and public health and safety.