Cross-Sector Cybersecurity Performance Goals and Objectives


UPDATE  

CISA released preliminary cybersecurity performance goals (Version 1.0) in September 2021, followed by an updated Version 1.1 in January 2022.

Our partners across the interagency and private sector provided valuable input through the Critical Infrastructure Partnership Advisory Council (CIPAC). CISA incorporated the input into a new and substantially revised version 2.0 that we released for sector, cross-sector, and inter-agency review on June 23, 2022. CISA will also be accepting comments from the public on version 2.0.  

CYBERSECURITY PERFORMANCE GOALS DOCUMENTS – OPEN FOR COMMENT/REVIEW UNTIL AUGUST 10.  For questions or to provide comments, please email CISA_CPGsFeedback@hq.dhs.gov.  

CISA is providing Version 2.0 of the Common Baseline for review in two parts:

Phase 1 

Review of the Common Baseline mitigation/control list from June 23, 2022 through August 10, 2022. This review period will cover the substantive content of the Common Baselines, including the goals.  

Phase 2 

Review of the full Common Baseline document (i.e., appendices, glossary, etc.) from late July through August 10, 2022. The document will be posted on this webpage when available for review. This review period will provide partners an opportunity to provide feedback on ancillary content such as introductory content and glossaries.   

As stated above, CISA would appreciate feedback by August 10, 2022, and would value any inputs available before that date to expedite our adjudication process. If your organization anticipates requiring additional time to review past August 10, 2022, please let us know at your earliest convenience. 

BACKGROUND AND OVERVIEW  

On July 28, 2021, the President signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The National Security Memorandum (NSM) establishes a voluntary initiative intended to drive collaboration between the Federal Government and the critical infrastructure community to improve cybersecurity of control systems.   

The NSM Identifies the “need for baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems.” It instructs the Department of Homeland Security (DHS) to lead the development of cross-sector cybersecurity performance goals as well as sector-specific cybersecurity performance goals.  

CISA is developing of voluntary cross-sector “Common Baseline” cybersecurity performance goals that address both information technology and control systems cybersecurity activities. The Common Baseline will provide a shared understanding of the baseline cybersecurity practices that critical infrastructure owners and operators can follow to protect national and economic security, as well as public health and safety. The Common Baseline is intended to provide “clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services” to protect systems supporting National Critical Functions

Common Baseline  

The Common Baseline consists of foundational activities for effective risk management and high-level cybersecurity recommended practices.  Implementation of these goals and objectives is not an exhaustive guide to all facets of an effective cybersecurity program and CISA will work with each sector following completion of the Common Baseline to develop sector-specific goals as needed that highlight additional practices that can provide a higher level of security based on the unique needs of each sector.   

CISA recognizes the investment the critical infrastructure community has made aligning guidance to the NIST Cybersecurity Framework (CSF) and will map the Common Baseline goals to the CSF categories. Additionally, in many cases, the Common Baseline will point to actions that have been recommended through past guidance but have not been consistently adopted throughout the community. In such cases, the Common Baseline will provide an important platform for discussing barriers to implementation and the incentives and disincentives influencing cybersecurity in critical infrastructure.   

Sector-Specific Goals 

Once the Common Baseline (cross-sector Performance Goals) are complete, CISA will work with each Sector Risk Management Agency (SRMA) to begin development of sector-specific goals by:  

  • Identifying any additional cybersecurity practices, not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector  
  • Providing examples for evidence of implementation specific to the infrastructure and entities in that sector; and  
  • Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or evidence of implementation so stakeholders can see how their existing compliance practices fulfill certain objectives.  

More information on the sector-specific goals will be provided, including timelines for the development of each sector’s goals, following the completion of the Common Baseline. 

 

Was this webpage helpful?  Yes  |  Somewhat  |  No