The Cybersecurity and Infrastructure Security Agency has updated a list of goals that it hopes water treatment facilities, hospitals and other critical infrastructure operators will use to protect their systems from hackers.
Version 2.0 of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), which the agency released on Thursday, “incorporates three years of operational insights, and address emerging threats through data-driven, actionable guidance,” CISA said in a statement. “These enhancements are designed to promote accountability, improve risk management, and support strategic cybersecurity governance across sectors.
The changes include the addition of a new “Govern” category of goals, meant to reinforce the importance of business leaders’ involvement in overseeing cybersecurity; the consolidation of information technology and operational technology goals; new goals focused on supply-chain risks, zero-trust architecture and incident-response communications; and clearer language about how organizations can implement the CPGs.
CISA made the changes based on feedback from “hundreds of stakeholders” in government and industry, Madhu Gottumukkala, the agency’s acting director, said in a statement. “Version 2.0 demonstrates our commitment to listening to and incorporating partner feedback to deliver practical, outcome-driven guidance that organizations can act on.”
Other changes in the new framework include improved descriptions of each goals’ cost, impact and difficulty level and the removal of three goals whose essence CISA merged into other parts of the document. “Real‑world usage data and practitioner feedback indicated these stand-alones were confusing or underutilized,” the agency said in the new document.
Security outcomes to aim for
CISA released the original cross-sector CPGs in late 2022 to give all critical infrastructure organizations a clear, uniform set of security expectations. The agency later developed sector-specific CPGs for information technology and chemicals, and other agencies developed goals for healthcare and energy. CPGs for the financial sector are coming soon, according to CISA’s website.
The goals are intended to give organizations measurable objectives, break down silos between IT and OT and help business leaders make strategic cybersecurity investments.
