Watch CBS News

New cybersecurity guide aimed at protecting nation's critical infrastructure released by government

The Cybersecurity and Infrastructure Security Agency (CISA) has released a long-awaited list of cyber performance goals for the nation's critical infrastructure. 

The 28-page guide represents a major step forward for the Biden administration's cyber agenda, featuring a broad list of cybersecurity performance goals and a substantial glossary of terms. The new guide  departs from previous administrations' piecemeal, sector-by-sector approach to protecting the nation's vulnerable networks.

"There are varying degrees of cybersecurity and cybersecurity capabilities in the private sector, and so much of our country's critical infrastructure resides in the private sector," said Department of Homeland Security (DHS) Secretary Alejandro Mayorkas, whose department oversees CISA. "Cybersecurity increasingly is not only growing as a business imperative, but it is increasing as a national and homeland security imperative." 

Designed for non-technical audiences, CISA Director Jen Easterly called the newly unveiled "CPGs" a "quickstart guide" to establishing IT and OT cybersecurity protections, aimed at addressing some of the most common cyber risks.

"I really think the CBPGs will be particularly helpful for some of the small and medium businesses, especially those in the supply chain of major corporations, as well as what we refer to as target rich, resource-poor entities like K-12 school districts, water utilities and hospitals," Easterly noted during a briefing with reporters, Thursday. 

The new set of high-priority security practices for critical infrastructure operators are intended to address gaps in the nation's cybersecurity. "Our concerns with these gaps are not merely theoretical or philosophical," the new guidelines read. "Our nation has seen the real impact of some of these gaps, whether ransomware attacks affecting critical functions from hospitals to school districts or sophisticated nation-state campaigns that target government agencies and critical infrastructure. Collectively, these intrusions place our national security, economic security, and the health and safety of American people at risk."

CISA says it worked with hundreds of partners, analyzed years of data and incorporated thousands of comments in its effort to identify key challenges. Among them:

  1. Many organizations have not adopted fundamental security protections
  2. Small- and medium-sized organizations are left behind
  3. Lack of consistent standards and cyber maturity across CI sectors
  4. [Operational Technology] or OT cybersecurity often remains overlooked and under-resourced

CISA acknowledges that the CPGs "do not identify all the cybersecurity practices needed to protect every organization or fully safeguard national and economic security and public health and safety against all potential risks" but calls the recommendations "a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors." The agency vows that general guidelines will be followed by more specific goals that address the unique constraints, threats, and maturity of critical infrastructure sectors, in the future.

The nation's cybersecurity agency is currently evaluating feedback to determine which sectors will be the first to receive more specific cyber goals, according to CISA's executive assistant director for cybersecurity, Eric Goldstein. 

These CPGs will be updated on a revision cycle of at least every 6 to 12 months with feedback solicited through this github.

Recommendations focus on eight areas of risk:

  1. Account security
  2. Device security
  3. Data security
  4. Governance and training
  5. Vulnerability and management
  6. Supply chain
  7. Response and recovery
  8. Other

Some of the recommendations for account security include basic cybersecurity practices, like changing default passwords, establishing multi-factor authentication and revoking the credentials of departing employees.

Others include establishing a hardware and software approval process, creating an asset inventory and securing sensitive data. CISA's new guide also recommends that organizations implement basic cybersecurity training and take steps to mitigate known vulnerabilities within their networks, all while establishing an incident response plan and system back ups for when a crisis hits.

CISA officials who briefed reporters, Thursday, encouraged organizations to tap into the $1 billion pot of state cybersecurity funds rolled out last month, to help fund efforts to implement cyber performance goals. 

While the guidelines are "intended to be voluntarily adopted by organizations," the White House previously signaled that the new resource could serve as a roadmap to regulations.

"CISA is a largely voluntary agency," Easterly said. "We have a very small regulatory authorities that apple to chemical facilities for anti-terrorism standards." Easterly added that other regulatory agencies might incorporate the voluntary tools into standards, moving forward. "But we see these as voluntary tools that any business – large and small, critical infrastructure – can take to ensure the resilience of their system and drive down risk."

Meanwhile, the White House is relying on existing regulatory authority within agencies to introduce new rules to industries, including rail and aviation, but stopped short of introducing any sweeping new rules to secure vulnerable critical infrastructure amid industry pushback.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.