The Cybersecurity and Infrastructure Security Agency (CISA) on March 21 released stakeholder-driven updates to the Cybersecurity Performance Goals (CPGs) for critical infrastructure entities and businesses that the agency issued last year.
The original CPGs were released last October, and feature voluntary practices that infrastructure operators, businesses, and other private entities can take to protect themselves against cyber threats.
“The CPGs have been reorganized, reordered and renumbered to align closely with NIST CSF functions – to help organizations more easily use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF,” CISA said.
The updated CPGs aim to provide:
- A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value;
- A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity;
- A combination of recommended practices for IT and OT owners, including a prioritized set of security practices; and
- A view of not only the practices that address risk to individual entities, but also the aggregate risk to the nation.
“In an effort to accelerate adoption of essential actions to improve cybersecurity across the nation’s critical infrastructure providers, the CPGs recommend an abridged subset of actions to help organizations prioritize their security investments,” said the agency.