The US Department of Homeland Security released the Cybersecurity Performance Goals (CPGs), voluntary practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats.
he CPGs were developed by DHS, through the Cybersecurity and Infrastructure Security Agency (CISA), at the direction of the White House. Over the past year, CISA worked with hundreds of public and private sector partners and analyzed years of data to identify the key challenges that leave our nation at unacceptable risk.
By clearly outlining measurable goals based on easily understandable criteria such as cost, complexity, and impact, the CPGs were designed to be applicable to organizations of all sizes.
Organizations across the country increasingly understand that cybersecurity risk is not only a fundamental business challenge but also presents a threat to our national security and economic prosperity
said Secretary of Homeland Security Alejandro N. Mayorkas.
CISA developed the CPGs in close partnership with organizations across government and the private sector. The resulting CPGs are intended to be implemented in concert with the NIST Cybersecurity Framework. The CPGs prescribe an abridged subset of actions to help organizations prioritize their security investments.
Cybersecurity Performance Goals
#1 Account security:
- Detection of Unsuccessful (Automated) Login Attempts;
- Changing Default Passwords;
- Multi-Factor Authentication (MFA);
- Minimum Password Strength;
- Separating User and Privileged Accounts;
- Unique Credentials;
- Revoking Credentials for Departing Employees.
#2 Device security:
- Hardware and Software Approval Process;
- Disable Macros by Default;
- Asset Inventory;
- Prohibit Connection of Unauthorized Devices;
- Document Device Configurations.
#3 Data security:
- Log Collection;
- Secure Log Storage;
- Strong and Agile Encryption;
- Secure Sensitive Data.
#4 Governance and training:
- Organizational Cybersecurity Leadership;
- OT Cybersecurity Leadership;
- Basic Cybersecurity Training;
- OT Cybersecurity Training;
- Improving IT and OT Cybersecurity Relationships.
#5 Response and recovery:
- Incident Reporting;
- Incident Response (IR) Plans;
- System Back Ups;
- Document Network Topology.