IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Will Voluntary CISA Cyber Goals Be Enough to Protect Critical Infrastructure?

The Cybersecurity and Infrastructure Security Agency is getting pushback from critical infrastructure owners and operators on cyber goals and objectives. So what happens next?

Digital illustration of a yellow lock in a circle surrounded by yellow lines and arrows.
The Washington Post released an article this week with the headline “Industry groups aren’t thrilled about new cyber ‘performance goals.’”

The article begins, “Biden is asking critical infrastructure owners to hit cybersecurity goals, and they're not happy about it.

“A federal agency is due next month to deliver a list of cybersecurity goals the Biden administration wants owners of the most critical digital infrastructure to meet — a list that has spawned industry criticism.

“The Cybersecurity and Infrastructure Security Agency (CISA) has solicited feedback on the list for months, and granted an extension through last week for trade associations and others to deliver their commentary. While the goals are voluntary, some industry officials are uncomfortable about whether the ‘performance goals’ are a prelude to regulation, among other concerns.”

The CISA Cross-Sector Cybersecurity Performance Goals and Objectives contain a 22-page list of goals with the following areas covered:
  • Account Security
  • Device Security
  • Data Security
  • Governance and Training
  • Vulnerability Management
  • Supply Chain/Third Party
  • Resilience
  • Network Segmentation
  • Physical Security

The guidance for the goals contains the following expectations (from the CISA website):

“The CPGs are intended to be:
  • A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
  • A combination of best practices for IT and OT owners, including a prioritized set of security controls.
  • Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.

“The CPGs are not:
  • Comprehensive: The CPGs do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.
  • Compulsory: National Security Memorandum-5 does not create new authorities that compel owners and operators to adopt the CPGs or provide any reporting regarding or related to the CPGs to any government agency.

“CPG Guidelines
  • Mitigations must significantly reduce the risk/impact caused by well-known, probable threats and adversary tactics, techniques and procedures (TTPs).
  • Measurements must be clear, actionable, prescriptive, easily attestable, and concrete. Binary (yes/no) measurements are preferred.
  • Avoid measurements that are scaled, such as “the number of devices with MFA enabled.”
  • Good example(s): ‘Establish minimum lengths for passwords, enforced by a systemwide policy on all IT and OT.’ This example is clear, measurable (is there a systemwide minimum password policy or not) and not overly burdensome.
  • Poor example(s): ‘Implement Zero Trust.’ While an important and valuable goal, ZT implementations are still poorly defined, hard to measure and can be very burdensome for small organizations.”

According to the Washington Post article, the complaints with this approach include the fear that the checklists will be transformed into a set of requirements by regulators. Also, some groups felt the goals were too prescriptive, while others said that these lists did not embrace (or align with) the National Institute of Standards and Technology (NIST) Cybersecurity Framework.  

While these complaints are significant, industry officials offered praise for CISA’s receptiveness to their feedback, saying the agency already made improvements from an earlier set of goals.


Last November, the U.S. House Committee on Financial Services conducted a hearing entitled “Cyber Threats, Consumer Data and the Financial System.” You can see a video of that hearing here:
The banking industry has mandated many cyber protections, including new reporting of cyber incidents, as I wrote about last December (with enforcement kicking in back in May of this year).

At the end of July, I wrote this blog on how cyber attacks against critical infrastructure have continued to increase (albeit quietly).

Nevertheless, it remains uncertain if voluntary CISA goals will be enough to adequately protect critical infrastructure, or if more cyber regulation will be forthcoming.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.