A July 2021 memorandum by President Biden required the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop voluntary cybersecurity performance goals (CPGs) across all critical infrastructure sectors. These goals are intended to establish fundamental cyber practices that will aid organizations to begin their cybersecurity efforts and help reduce risks. By prioritizing information technology (IT) and operational technology (OT) cyber practices, the goals were created from existing frameworks and guidance, as well as tactics, techniques, and procedures (TTPs) observed by CISA and its partners.

According to CISA, the CPGs are intended to be:

• A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
• A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
• A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
• Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.

These CPGs reference and complement the NIST Cybersecurity Framework (CSF), and also extensively reference ISA/IEC 62443-2-1 and ISA/IEC 62443-3-3 in almost every category, including account security, device security, data security, governance and training, vulnerability management, supply chain/third party, and response and recovery. See below for more information on these standards:

• ISA-62443-2-1-2009, Security for Industrial Automation and Control Systems Part 2-1: Establishing an Industrial Automation and Control Systems Security Program: This standard is part of a multipart series that addresses the issue of security for industrial automation and control systems (IACS). It has been developed by Working Group 2 of the ISA99 committee. This standard describes the elements contained in a cybersecurity management system for use in the IACS environment and provides guidance on how to meet the requirements described for each element.
• ANSI/ISA-62443-3-3 (99.03.03)-2013 Security for industrial automation and control systems Part 3-3: System security requirements and security levels: This ISA99 standard provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs) described in ISA-62443-1-1 (99.01.01), including defining the requirements for control system capability security levels, SL C (control system). These requirements would be used by various members of the IACS community, along with the defined zones and conduits for the system under consideration (SuC) while developing the appropriate control system target SL, SL-T (control system), for a specific asset.

With the CPGs now complete, CISA will now look to work with each Sector Risk Management Agency (SRMA) to begin the development of sector-specific goals by:

• Identifying any additional cybersecurity practices, not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.
• Providing examples for recommended actions specific to the infrastructure and entities in that sector; and
• Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.

More information on the sector-specific goals will be provided soon. You can learn more about CISA’s CPGs, along with links to the documents, here.