After just five months on the books, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is revamping its Cybersecurity Performance Goals (CPG), a set of recommendations designed to help identify and prioritize measures that address the most common and serious cyber risks faced by organizations.
As the federal agency explained in a document (PDF) updating the CPGs:
"The Cross-Sector Cybersecurity Performance Goals (CPGs) strive to address this need by providing an approachable, common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks."
CISA said the CPGs were "written and designed to be easy to understand and relatively easy to communicate with non-technical audiences, including senior business leadership."
The agency cautioned, however, that the CPGs are not an all-encompassing cybersecurity program but a minimum set of practices that organizations should implement. The aim is to help critical infrastructure entities — particularly small- and medium-size organizations — get started on the path to a strong cybersecurity posture. The CPGs are intended to be a floor, not a ceiling, for what cybersecurity protections organizations should implement.
In short, CISA has better aligned the CPGs with the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, and added software supply chain goals. Here's what your team needs to know.
[ See also: NIST CSF 2.0: What it means for modern software supply chain security | Key takeaways: Supply chain security risks addressed in new Gartner report ]
The CPGs are now NIST-compatible
The new CPG guidance departs from the previous version in several ways. For example, CISA has reordered and renumbered all CPGs to align more closely with NIST's cybersecurity framework, a voluntary framework that combines existing standards, guidelines, and practices into a document that organizations of all sizes can use to improve their cybersecurity posture.
"CPGs include excellent advice on how organizations can use them to the best effect based on their own situation, from a quick-start guide to helping get funding for their security initiatives," said Mike Parkin, a technical marketing engineer with enterprise cyber risk remediation service provider Vulcan Cyber.
And with the new version, the CPGs are better aligned with existing guidelines.
"Bringing the cybersecurity performance goals into alignment with the cybersecurity framework makes it easier for organizations to map their own efforts across the two."
—Mike Parkin
The reordering and renumbering of the CPGs in the CISA guidelines significantly changes them. Previous CISA guidance focused on areas such as account security, device security, and data security, while NIST's key functions are identify, protect, detect, respond, and recover, said Michael Amiri, a senior analyst at ABI Research.
"NIST's key functions are widely recognized criteria for businesses and industries — particularly those in critical infrastructure. This means the new CISA directive now embraces a more familiar approach to cybersecurity."
—Michael Amiri
The order of these functions "is logical and significant," Amiri said. "In the realm of cybersecurity, one cannot mitigate or recover without first identifying the threat. Thus, 'identify' is the core function that precedes detection or recovery."
New multi-factor authentication guidance
Guidance on multi-factor authentication (MFA) has also been changed to reflect CISA's latest recommendations on phishing-resistant MFA. The new guidelines recommend that an organization's assets be protected by the strongest form of MFA available. Options cited by CISA, from strongest to weakest, include:
- Hardware-based, phishing-resistant MFA. This requires the use of a hardware device that produces short-lived codes when accessing systems or resources. The method is phishing-resistant because even if a user's name and password are compromised, an attacker would need the hardware device to compromise the account.
- Mobile app-based soft tokens. This method is similar to hardware-based MFA, but . instead of a hardware device producing a short-lived code, a mobile app such as Google Authenticator generates it.
- SMS or voice message. This method delivers a code to the user by text message or automated voice call. This method is the least secure way to implement MFA because it can be compromised in several ways. Since messages aren't encrypted, they can be read if intercepted in transit. Alternately, if an attacker steals the user's phone number in a SIM attack, those codes would be sent to the attacker's phone. And there's malware out there that's designed to pilfer codes when they arrive on a phone.
The new guidelines recommend that all IT accounts use MFA to access organizational resources. If all accounts can't be covered, they should be prioritized, with those with the highest risk, such as privileged administrative accounts, receiving the MFA treatment.
CISA advises all remotely accessible accounts and systems use MFA, including vendor and maintenance accounts, remotely accessible user and engineering workstations, and remotely accessible human-machine interfaces.
MFA changes welcomed, but more needed
Parkin said MFA should just be a basic "how-to" across the board, "but not all MFA schemes are created equal, and threat actors have learned ways to get around some of them," he said. "Specifying a phishing-resistant scheme shouldn’t be necessary, since ones that aren’t should probably fall out of use."
The MFA changes in the guidelines are a much-needed, "especially in the OT environment, where a breach of Industrial Control Systems, like a Programmable Logic Controller, could translate to overtaking actual physical equipment by cybercriminals," Amiri said.
He cited Stuxnet as an example of an attack that led to physical damage in an operational technology (OT) environment. (Stuxnet was a computer worm developed by the United States and Israel to sabotage the Iranian nuclear program. Discovered in June 2010, it is believed to have caused significant damage to the centrifuges used by Iran to enrich uranium).
Emphasizing phishing resistance in the new version of the CISA guidance is important, because ordinary MFA is no longer secure and can be easily breached, even by novice bad actors, he added.
"Text message and email-based authentication are the weakest forms of MFA and susceptible to easy infiltration. While still better than no MFA, cybercriminals are becoming highly skilled at workarounds."
—Michael Amiri
Software supply chain security added
The new CPGs also include guidance on supply chain security: They recommend that organizations rapidly learn about and respond to known incidents and breaches, as well as vulnerabilities in the assets of their vendors and service providers. To do that, organizations should require in their procurement documents and contracts such as service level agreements (SLA) notification of security incidents and vulnerabilities within a risk-informed time frame.
Amiri said the supply chain security in the CPGs was surprising. "If you compare and contrast the old and new documents, they are almost two different animals. I wonder why the first version was based on different criteria rather than the five functions of NIST," he said.
"The new version is much more practical and applicable now that it's in line with NIST's five key functions. This makes it easier to understand and implement because NIST is so well known, and has been around for almost 10 years."
—Michael Amiri
The changes were less surprising to Parkin:
"The threat landscape is always evolving as threat actors invent new techniques and find new vulnerabilities to exploit, so our defenses need to evolve and adapt to suit those developments."
—Mike Parkin
CISA’s cybersecurity performance goals were never intended to be set in stone and changes are no surprise, Parkin said. He expects the goals to be updated in the future as well, "as the threat situation evolves and as our tactics and tools for staying ahead of threats evolve with it."
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.