The Cybersecurity and Infrastructure Security Agency (CISA) is working closely with industry and the National Institute of Standards and Technology (NIST) to finalize its cyber performance goals, an agency official told lawmakers on September 15.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said during a House Homeland Security cyber subcommittee hearing that CISA plans to release version 2.0 of the performance goals in October as part of its annual Cybersecurity Awareness Month.
“The Common Baseline is voluntary by design, and we developed the draft goals through a highly collaborative process,” Goldstein said.
CISA received over 2,000 comments across two separate rounds of review, including multiple workshops with critical infrastructure partners, industrial control systems (ICS) and operating technology (OT) experts, and the public. In addition, Goldstein explained that the performance goals align with the NIST Cybersecurity Framework (CSF).
“CSF is the de facto standard for all organizations to build and evaluate their cybersecurity programs,” Goldstein said. “The Common Baseline extends the CSF by identifying the most impactful controls across both IT and OT systems and describes both the scope and measurements for those controls so that it is easier for asset owners to implement and attest to their security posture.”
Subcommittee Chairwoman Rep. Yvette Clarke, D-N.Y., praised CISA’s efforts to develop the performance goals and stressed the Federal government’s role in providing guidance to critical infrastructure operators.
Further Initiatives on OT, ICS Cybersecurity
While there is a shift around OT security, the Federal government is still working through challenges in targeting efforts toward smaller operators grappling with limited resources, and trying to make sure the OT investments made today have security built into them.
“We rely on [ICS] and other [OT] to make sure we have power in our houses, clean water to drink, and countless other functions and services essential to our health, safety, and livelihoods. Still, questions about how we secure these critical OT systems tend to take a backseat to traditional IT security,” Rep. Clarke said.
CISA has led many of the critical infrastructure security efforts at a Federal level, and Goldstein gave a rundown of current initiatives focused on the ICS sector and OT needs.
In April 2022, CISA announced the expansion of its Joint Cyber Defense Collaborative with a new group focused on the ICS sector including manufacturers, integrators, security providers, and owner/operators.
“The group is working on a cyber defense plan focused on enhancing the efficiency, effectiveness, and speed of sharing threat information across components of the ICS ecosystem,” Goldstein said.
The agency is also working on expanding its CyberSentry program, which provides continuous monitoring and detection of cybersecurity risks to critical infrastructure entities that own or operate ICS that support national critical functions.
In addition, Goldstein explained that CISA wants to direct agencies to increase their efforts in identifying all ICS they operate, but said that no such mandate is in development to date.
Before CISA can issue any operational directive, the agency must determine whether it has the resources, personnel, and processes to measure agencies’ compliance with such an order and to work with agencies that don’t comply, he explained.
Reps. Jim Langevin, D-R.I., and Ritchie Torres, D-N.Y., questioned Goldstein further on the agency’s ability to apply this directive beyond privately owned critical infrastructure, and jumpstart agencies’ efforts to inventory their own ICS equipment.
Based on CISA’s current capabilities, “our sense is today that we do have the ability to ensure agencies’ compliance with a hypothetical directive requiring agencies to identify all of their ICS technology,” Goldstein said.