Editor’s note: This article is part of a series delving into CISA’s cybersecurity performance goals. You can also read about how security experts are responding to the goals and what sectors CISA is trying to protect.
The Cybersecurity and Infrastructure Security Agency released its long-awaited, cross sector cybersecurity performance goals Thursday, in a bid to raise the security baselines. Far from esoteric, the efforts listed are meant to serve as a broadly-digestible roadmap to minimum operational security.
The 37 voluntary goals span the technical and the tactical, weighing the cost, complexity and impact of security initiatives. But they are not exhaustive and do not capture all that is required to protect critical infrastructure security.
The goals "capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors,” CISA said.
CISA placed a premium on low cost, high impact security efforts, which accounts for more than 40% of the goals.
Setting a minimum password strength, for example, can mitigate password spraying or credential stuffing. It's a particularly important goal for those organizations without multifactor authentication or the ability to defend brute-force attacks.
Password-related policies are also entry-level security initiatives, albeit ones that can have a large impact. CISA also highlighted the need to fill leadership gaps by appointing organizational cybersecurity leadership, someone who can make implementing other goals more realistic.
CISA categorizes just three initiatives as high cost, high impact and highly complex: prohibiting the connection of unauthorized devices; third-party validation of the effectiveness of cyber controls; and network segmentation.
The agency plans to reevaluate the goals throughout the year, taking industry input into consideration for potential changes. Explore the 37 goals below.