Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

ISA/IEC 62443 Referenced in CISA’s Cross-Sector CPGs

A July 2021 memorandum by President Biden required the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop voluntary cybersecurity performance goals (CPGs) across all critical infrastructure sectors. These goals are intended to establish fundamental cyber practices that will aid organizations to begin their cybersecurity efforts and help reduce risks. By prioritizing information technology (IT) and operational technology (OT) cyber practices, the goals were created from existing frameworks and guidance, as well as tactics, techniques, and procedures (TTPs) observed by CISA and its partners.

According to CISA, the CPGs are intended to be:

  • A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
  • A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
  • Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.

These CPGs reference and complement the NIST Cybersecurity Framework (CSF), and also extensively reference ISA/IEC 62443-2-1 and ISA/IEC 62443-3-3 in almost every category, including account security, device security, data security, governance and training, vulnerability management, supply chain/third party, and response and recovery. See below for more information on these standards:

With the CPGs now complete, CISA will now look to work with each Sector Risk Management Agency (SRMA) to begin the development of sector-specific goals by:

  • Identifying any additional cybersecurity practices, not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.
  • Providing examples for recommended actions specific to the infrastructure and entities in that sector; and
  • Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.

More information on the sector-specific goals will be provided soon. You can learn more about CISA’s CPGs, along with links to the documents, here.

Steven Aliano
Steven Aliano
Steven Aliano is the Content Marketing Specialist for ISA & ISAGCA.

Related Posts

Securing Industrial Networks Can–And Should–Be Simple

A version of this blog originally appeared on Cisco
Andrew McPhee Jan 24, 2023 5:30:00 AM

Double Extortion Ransomware: What It Is and How to Respond

New attack methods in the cybersecurity landscape continue to emerge in the digitally driven world. One t...
Zac Amos Jan 17, 2023 5:30:00 AM

Defending Remote-Friendly Environments from Cyberattacks

This blog has been repurposed from the December 2022 issue of InTech
Damon Purvis Jan 10, 2023 5:30:00 AM