A little over one year ago, on July 28, 2021, President Biden signed a memorandum entitled “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems“. Like a lot of similar activities around that time, it was in response to a series of sometimes-devastating cyber attacks against critical infrastructure, of which the Colonial Pipeline incident was the most visible. As time has gone on – and other events such as Log4shell appeared – it is clear that industry needs help when it comes to securing critical technology and infrastructure.
After a year of following the direction of President Biden’s memorandum, CISA (Cybersecurity & Infrastructure Security Agency) has put together a fantastic set of what they are calling “Cybersecurity Performance Goals” (CPGs). This is an easy to use checklist of key security controls that represents a starting point for achieving a respectable level of security maturity. It has gaps and could benefit from industry-specific security requirements, but it’s a handy reference that covers all of the high points. Its 37 requirements are much easier to handle than all of the controls in NIST SP800-53, for example.
Assessing maturity
What can an organization do with this document? A good first step is to use this as a guide to get a “state of the state” when it comes to an organization’s security tools, especially if your security team has never done a maturity assessment before. Security tools are just one of the three pillars of a security program, but in comparison to people and processes they are relatively easy to inventory. For this reason, many organizations start with a security tool inventory and this checklist can make that discussion much easier.
No single security tool is capable of covering all of the requirements contained in the three dozen or so items, and many organizations may have more than one option when it comes to a particular requirement. As a result, it’s important to analyze your security tools and architecture to see where you have gaps and where you may be able to cover multiple requirements with one solution. There are hundreds, if not thousands, of security tools in the market today and it is difficult for any person to be familiar with all of them. However, I am quite familiar with Code42 Incydr and Instructor, and they are great examples of how a product can help address several of the requirements in this recently published checklist.
Meeting requirements at Code42
Unauthorized devices with Code42 Incydr
Regarding the requirement to Prohibit Connection of Unauthorized Devices (2.4), Incydr gives visibility to removable media devices and any unauthorized data movement to those devices. Interestingly, this requirement is rated as High complexity; Incydr provides a simple way to get visibility to removable media without complicated policies and with minimal setup. Perhaps this requirement is not as complex as it sounds. Incydr can also help support policies that prohibit the use of these kinds of devices in requirement to Document Device Configurations (2.5), again by providing visibility to the use of removable media. Policies are only as good as the technical controls in place to detect violations, and Incydr provides this detection capability.
Cybersecurity training with Code42 Instructor
Cybersecurity training is another key pillar of successful security programs and is rightly included in CISA’s checklist. Code42 Instructor can help meet the training requirements that are both generalized and activity-specific as it relates to requirements for Basic Cybersecurity Training (4.3) and Operational Technology (OT) Cybersecurity Training (4.4). By providing contextual, just-in-time security training that addresses potentially risky behavior, Instructor is far more effective than most other kinds of training.
Get started with CISA’s CPG checklist
I hope this brief walkthrough has been helpful in showing how this checklist can be used to assess a security team’s maturity and tool coverage and how tools in the security stack, such as Code42 Incydr and Instructor, can meet multiple requirements. When it comes to evaluating the maturity and effectiveness of a security program, it can be hard to know where to start given all of the frameworks and guides and compliance obligations that exist. CISA’s Cybersecurity Performance Goals is a simple to apply resource that any-sized company can use as a starting point to discover their security tool coverage and gaps from any point on the security journey.