Biden administration rolls out new cybersecurity performance goals for private sector

The Department of Homeland Security released new cybersecurity performance goals and metrics that are designed to help drive cybersecurity best practices and improvements across different industrial sectors of the economy.

The documents include a list of best practices for securing accounts, devices and data, vulnerability management, governance and the supply chain, as well as a “user friendly” worksheet for owners and operators in critical infrastructure to map their cybersecurity practices to standards developed by the National Institute for Standards and Technology and plan new investments.

According to the report, the Cybersecurity and Infrastructure Security Agency developed the goals after engagement with hundreds of private sector entities, thousands of public comments and data drawn from years of cyber incidents. While it was initially crafted for critical infrastructure, officials claim the guidance is broadly applicable to the private sector.

Many of the conclusions in the documents touch on themes that CISA has emphasized repeatedly over the years: most organizations don’t have fundamental security protections in place, small and medium-sized businesses consistently face major challenges with their cybersecurity maturity and budgets, and operational technology is a rising attack surface that has traditionally been ignored and cybersecurity standards across different sectors are inconsistent or poor.

"These are really a watershed moment in providing easy, accessible, prioritized menu of options for businesses to advance their cybersecurity in an increasingly threatening environment," Secretary of Homeland Security Alejandro Mayorkas told reporters in a briefing Thursday morning.

The performance goals are part of a series of mandates the Biden administration put into place, including a national security memorandum signed in 2021 meant to improve cybersecurity support and resources to critical infrastructure and the industrial control systems they operate. It's part of a larger push the administration has made around cyber policy since coming into office. They’re designed to be easy to understand, affordable to implement and “significantly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary TTPs.”  According to CISA, they will continue to take feedback on the document and be update it every 6-12 months.

Like nearly everything CISA does, the guidelines are mandatory, and Easterly told SC Media and other reporters that implementation would be driven through multiple channels the agency has set up to interact with the private sector and critical infrastructure, including through the Joint Cyber Defense Collaborative, engagement with regional offices and a "reenergized" Federal Senior Leadership Council, which is made up of agencies with sector-specific cybersecurity oversight responsibilities and is chaired by CISA.

CISA has also set up a GitHub page to receive additional feedback, and Easterly said the agency plans to work with critical infrastructure to develop sector specific goals in the coming months.

Funding will be another issue, particularly for "target rich, resource poor" organizations like small businesses and entities in the water or healthcare sectors who commonly lack resources to secure their IT and OT. Easterly pointed to a billion dollar federal grant program for state and local cybersecurity announced in September as one potential vehicle for private companies to fund their efforts.

"This grant money can be used to help implement the [guidance] in those target-rich, resource-poor entities so and I'm particularly focused...on K-12 school districts, on water facilities that are under resourced from a cybersecurity perspective, on hospitals, and so we're going to be working with our partners across the government in the cross sector to help them leverage some of the new grant money to apply to the implementation of these cybersecurity performance goals," said Easterly.

But Eric Goldstein, executive assistant director for CISA, also said the agency took pains to get feedback from industry in order to focus on improvements and guidance that would cost little - and in some cases no - money to implement. While some of the recommended actions would require spending money, he said they tried to focus on identifying security outcomes and actions that could be implemented "very affordably" and noting where CISA may offer free services or references that can help organizations implement the goals.

In terms of potential outcomes of the performance goals, Goldstein pointed to governance improvements, through such things as incident response plans, for example, as well as technical ones, "like changing default passwords, like establishing minimum password lanes, like disabling macros by default, which are really just configuration changes that any entity should be able to do with minimal, marginal costs."

Comments are closed.