How CISA Defines Cybersecurity Performance Goals (CPGs)

Written By Karen Mesoznik

The release of Cybersecurity Performance Goals (CPGs) by the Cybersecurity and Infrastructure Security Agency (CISA) in October 2022 aimed to increase organizations' cyber maturity, as CISA wanted to help organizations gain confidence in their security and guide them through the process of reducing business risk. Learn more about how these goals are defined and their impact thus far.

CISA’s Cybersecurity Performance Goals

In the summer of 2023, CISA outlined four first-step CPGs that organizations can focus on in order to reach better security standards. With the overwhelming and growing number of security concerns, protection frameworks, and strategies this concise list was a breath of fresh air because it simplified security planning into a few major and yet manageable concerns. 

The full list of CISA’s CPGs and definitions can be found on their site. They are complimented well by the out-of-the-box Cyber Performance Indicators (CPIs) that Onyxia provides and are organized to align with NIST’s Cybersecurity Framework (CSF functions):

  1. Identify: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

  2. Protect: Develop and implement the appropriate safeguards to ensure delivery of services.

  3. Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

  4. Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

  5. Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

CISA is confident in their fundamental practices’ positive impacts and they have data to support this view. CISA identified positive trends nationally that connected the adoption of CPGs to an organization’s risk reduction. The data is related to two CPGs which are Mitigating Known Vulnerabilities (CPG Goal 1.E) and No Exploitable Services on the Internet (CPG Goal 2.W). They identified these positive trends throughout nearly 3,500 organizations that were enrolled in their Vulnerability Scanning service before April 1, 2022.

Mitigating Known Vulnerabilities (CPG Goal 1.E)

The average number of known exploited vulnerabilities (KEVs) fluctuated before the release of CISA’s CPGs. Post CISA’s CPG release, the nearly 3,500 organizations that were enrolled in their Vulnerability Scanning service before April 1, 2022 witnessed a steady decrease in the average number of known exploited vulnerabilities (almost 20%). On average, this change occurred within the first three months of CISA’s involvement in the organization’s vulnerability scanning.

No Exploitable Services on the Internet (CPG Goal 2.W)

Although the decrease was very small (1 percent or less), the majority of the nearly 3,500 organizations that were enrolled in their Vulnerability Scanning service before April 1, 2022 witnessed a slight decrease in the number of exploitable services.

ReadySetCyber: A Practical Implementation of the Performance Goals

CISA has been focusing on making it easier and to prioritize cybersecurity tasks. For smaller to medium-sized stakeholders this is especially helpful since they have access to fewer resources. 

Last year, CISA announced that in early 2024 they will launch a new tool called ReadySetCyber, which they’ve described as “a new way for organizations to understand their cyber risk and receive targeted, straightforward guidance built around our Cybersecurity Performance Goals.”

Incorporating cybersecurity into an organization’s business decisions, no matter the organization’s size, can be daunting. The cybersecurity products that an organization chooses to invest in or the security measures the organization chooses to prioritize, are crucial and need to be handled with immense care. Even if everyone involved in the process is proficient with cybersecurity concepts and implementations there can be uncertainty in deciding what to work on. CISA’s ReadySetCyber simplifies this process through personalized resources and insights. 

“ReadySetCyber will empower users to align scarce resources with the most impactful cybersecurity measures for their organization.” (Unlocking Tomorrow’s Cybersecurity: A Sneak Peek into ReadySetCyber)

ReadySetCyber starts its process by assessing where an organization’s current cybersecurity strategy is. This is done through a list of questions aimed at reaching a personalized strategizing experience for each individual organization. Along with providing strategies, tools, and resources, CISA’s ReadySetCyber provides a regional CISA cybersecurity advisor for organizations.

ReadySetCyber is hoping to be an equalizer by providing access to the right information. They are committed to this and are actively using input from organizations to fill this function in a genuinely helpful way. Programs like ReadySetCyber highlight the importance of embracing cybersecurity measurement and strategy at the business level.

Automate Your Tailor-Made Program Assessment. Take a Tour of the Onyxia Platform.

Karen Mesoznik
Previous

What To Know about the Just Released NIST Cybersecurity Framework 2.0
Next

What Is Cyber Defense Planning and Optimization (CDPO) and Why Is It Important for Security Leaders?