CISA Releases Cybersecurity Infrastructure Framework

On October 27, the Department of Homeland Security (DHS) announced a new cybersecurity framework titled the Cross-Sector Cybersecurity Performance Goals (CPGs).

According to the DHS, the CPGs are “voluntary practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats.”

This framework is developed through the Cybersecurity and Infrastructure Security Agency (CISA), at the direction of the White House under the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. In the process of developing this framework, CISA utilized close partnerships with “hundreds of public and private sector partners” to “identify the key challenges that leave our nation at unacceptable risk.” According to Anne Neuberger—who serves in the Biden administration as Deputy National Security Advisor for Cyber and Emerging Technologies—the CPGs set “a higher cybersecurity standard for [these] sectors to meet.”

According to Secretary of the DHS, Alejandro N. Mayorkas, “organizations across the country increasingly understand that cybersecurity risk is not only a fundamental business challenge but also presents a threat to our national security and economic prosperity.” CPGs “will help organizations decide how to leverage their cybersecurity investments with confidence that the measures they take will make a material impact on protecting their business and safeguarding our country.”

CPG PROVISIONS

Account Security

This section outlines best practices for strengthening the security of an organization’s system, such as automatic detection of unsuccessful login attempts, changing default passwords and creating a password that comports with the credential recommendations in the CPG, establishing multi-factor authentication (MFA), and revoking access from employees who will no longer be employed by the organization.

Device Security

Organizations should monitor the hardware and software utilized, the use of Microsoft Office macros, and device usage practices of the organization.

Data Security

Organizations should implement certain data security practices, such as log collection and storage and encryption, to ensure that any sensitive data remains protected from unauthorized users and cyberattacks.

Governance and Training

Organizations should implement a cybersecurity personnel leadership structure that clearly divides responsibility for maintaining their cybersecurity program—and cross-organizational training to ensure that the program is operating properly.

Vulnerability Management

Organizations should protect themselves from all known and discovered vulnerabilities by implementing reporting and disclosure requirements, appropriately engaging in online activities and deploying third-party validation of cybersecurity control effectiveness.

Supply Chain/Third Party

An organization can reduce their risk of cyber risk by implementing reporting and disclosure requirements on their vendors and all parties involved in their supply chain.

Response And Recovery

Organizations should establish an incident response (IR) plan and engage in consistent system back ups to ensure that, upon the occasion of a cyber incident, their operations are impacted at a reduced rate.

The DHS states these “CPGs are intended to be implemented in concert with the NIST Cybersecurity Framework.” In fact, according to the Data Protection Report, “these guidelines are based on security frameworks that have been in place for years (NIST 800.53, ISO 27002, etc.) and are squarely intended for those companies for whom these existing frameworks have been a challenge to operationalize.”

Additionally, in order to assist organizations in implementing this CPG framework, CISA also published this checklist “to be used in tandem with the CPGs to help prioritize and track [the] organization’s implementation.”

Pursuant to the implementation of the CPGs, CISA will be seeking feedback on the framework from partners in the critical infrastructure community through a discussions webpage on GitHub.

* * * * * * *

To read our news alerts discussing: Google’s $392 million settlement for ad-tracking violations, a recent lawsuit filed against Apple for an alleged violation of the California Invasion of Privacy Act, and the Consumer Financial Protection Bureau’s recent finalized changes to its nonbank supervision policies related to consumer risk, click here.

This week’s breach report covers breaches of the following companies: Optus, Louisiana Corrections, St. Luke’s, Whoosh, Camping World, and Peterson International Underwriters. Click here to find out more.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!

Our most recently released episodes:

80 | Cyber Command: Its role in Cybersecurity and National Security (with guests Gary Corn and Jamil N. Jaffer

79 | Understanding 5G Cybersecurity Issues (with guest Carlos Solari)

78 | The Nexus Between Privacy, Cybersecurity & National Security (with guest, Corey Simpson)

Stay tuned this week for episode 81 | Looking at Cyber Leadership & Costly Mistakes with guests Rachel Briggs and Richard Brinson from Savanti, a UK-based cybersecurity consulting entity.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.