New Federal cybersecurity guidance for critical infrastructure providers is providing a necessary view at security baselines for those organizations, a senior General Dynamics Information Technology executive told MeriTalk.
On Oct. 27 the Cybersecurity and Infrastructure Security Agency (CISA) unveiled its long-anticipated cybersecurity performance goals (CPGs) to help critical infrastructure owners and operators prioritize and set a foundation for key security measures.
The goals provide both big and small industry stakeholders with expectations of what a defendable network entails, and provids more in-depth details that were missing from previous cybersecurity regulatory guidance, said Matt Hayden, GDIT’s Vice President of Cyber Client Engagement, in an interview with MeriTalk.
“The intention of the [CPGs] was based on an observation that small and medium infrastructure partners were having a difficult time [implementing] the NIST [National Institute of Standards and Technology] cybersecurity framework and all these different regulatory guidance and overlaying that with tactical tips … and feel quasi protected,” Hayden said.
“And so, this is where the cyber performance goals come in,” he added. “It gives the small and medium user the balance to look at [for example] where certain steps plug into that NIST cybersecurity framework. [So] if I want to build a more advanced cybersecurity framework and policy guidance, the goals offer insight for said tips.”
This was something missing from previous cybersecurity guidance and something the goals offer industry stakeholders, especially small and medium-sized infrastructure partners, Hayden explained.
The CPGs are a baseline for helping both large and small industry partners build out defensible networks. A good evolution of the list is for CISA to provide services to critical infrastructure partners in need of these steps, Hayden explained.
“There is likely an evolution of this that is a direct response to the scenario ‘Hey, you just told me to improve my security in a world where I don’t have resources,’” Hayden said. The list could provide details on the services that CISA offers to help organizations accomplish those goals, he added.
Next, CISA plans to develop sector-specific goals and will work with each Sector Risk Management Agency for those objectives. Hayden predicts that sector-specific goals for the IT sector will predominantly focus on zero trust security principles.
“[In the IT sector] everyone’s doing well on firewall and perimeter, and there has been a lot of investment in that area,” Hayden said. “There was an expectation that the investment would last five to ten years. But here we are, three to five years later, saying that was an incomplete solution. Now, you must protect the insides of your network as well as additional credentialing and securing of how people confirm their identity in your networks,” Hayden said.
“I would expect a lot of solutions or security outcomes around the identities network and all the different pillars that make up the zero trust framework,” he added. `