Basic cyber hygiene may seem rudimentary, but as highlighted in CISA’s four key challenges, it is something organizations of all sizes struggle with.
In response to President Biden’s 2021 National Security Memorandum on enhancing cybersecurity for critical infrastructure control systems, CISA released cross-sector cybersecurity performance goals (CPGs).
Since that time, the cybersecurity community has come to view the CPGs as “the floor” and “a baseline” for cybersecurity hygiene and practices. It is crucial to comprehend the published voluntary practices, even as a matter of cyber hygiene fundamentals.
The CPGs were created following analysis of past public and private sector efforts to prevent, identify, and address cyber incidents.
The analysis revealed four significant problems that put the organizations in United States at serious risk. The creation of the cross-sector CPGs then addressed these four issues, which are as follows:
- Absence of Basic Cyber Hygiene: When organizations lack the most basic security safeguards, they put themselves at unnecessary risk of cyber incidents because threat actors target intrusions against these safeguards. The CPGs created are designed to address these essential security safeguards in the eight domains listed below.
- Unclear Investment Prioritization: As stated in the report, “small and medium-sized organizations are left behind”. Organizations find it difficult to determine where to invest in cybersecurity with the limited resources and funds at their disposal due to resource limitations and a lack of cyber maturity. The objective of the baseline CPGs is to provide organizations with cost-effective, actionable cyber hygiene activities to concentrate on. Including cost, impact, and complexity for each CPG makes it simple for organizations to rank the fundamental cyber practices in order of importance.
- Inconsistent Standards and Cyber Maturity: It is challenging to define fundamental cybersecurity practices due to insufficient resources, investments, and cyber hygiene. To reduce the cascading effects of exploitations, CPGs focus on addressing the fundamental inconsistencies across the critical infrastructure sectors.
- Limited Scope: Many organizations limit their attention to IT systems, ignoring OT as a component of their cybersecurity strategy. Neglecting OT can have significant risks for all operations, particularly in the critical infrastructure sectors. As a result, OT devices are specifically covered by the CPGs that were published.
The attestable CPGs address these significant issues and lower risks for cross-sector protection, detection, and response capabilities as well as critical infrastructure operations. The goal is to address the fundamentals of any cybersecurity program. These are organized into 8 domains, including account security, device security, data security, governance and training, vulnerability management, supply chain / third party, response and recovery, and other. Implementation can seem like a daunting task with a total of 37 goals. Here are some crucial actions that can speed up the implementation procedure:
- Establish a Baseline: To help organizations determine their current maturity in relation to each of the performance goals, CISA created a checklist (PDF) as part of the release. The checklist can assist in evaluating the current state of the organization in relation to the goal to determine whether it has been implemented, is in progress, scoped, or has not yet begun.
- Specify the criteria that will be used to order the implementation of each goal: The CPG core document (PDF) and checklist from CISA offer inputs that can be used to choose the standards that are most crucial for a company. Other factors, such as cost, impact, and complexity, can be used as criteria to prioritize which goals would have the biggest impacts on the security journey in addition to the goal’s status in their current security roadmap.
Also Read: Four Steps to Boosting Cybersecurity Hygiene
- Develop an Implementation Strategy: Use the suggested actions and pertinent TTPs for each goal to develop a thorough plan for implementing the goal in the context of the organization. The suggested actions may need to be changed depending on how mature an organization is in order to best suit where security teams are right now in their journey.
Although it may seem elementary, organizations of all sizes struggle with it, as highlighted in CISA’s four main challenges above. Organizations are at serious risk from cyberattacks because there is no set standard for cybersecurity. The cross-sector cybersecurity performance goals set by CISA aim to formalize baseline maturity activities so that everyone can benefit from them.