Government agency CISA ascribes modest security advancements to their Performance Goals program

Government agency CISA ascribes modest security advancements to their Performance Goals program

The Cybersecurity and Infrastructure Security Agency (CISA) has made significant strides in enhancing the cybersecurity posture of critical infrastructure organizations. According to a recent report, ransomware attacks globally increased by 74% from 2022 to 2023, with attacks in 2024 on track to exceed the previous year's record [1].

In response to this escalating threat, CISA launched its Cybersecurity Performance Goals (CPGs) program, a set of voluntary goals designed to help critical infrastructure organizations proactively monitor for known exploited vulnerabilities and reduce remediation times. Over the two-year period from Aug. 1, 2022 to Aug. 31, 2024, CISA's efforts have led to a reduction in average remediation times from 60 days to 30 days [2].

The CPGs program achieves this reduction in remediation times through several key methods:

1. Focus on high-impact cybersecurity controls: CISA's CPGs distill protections down to essential, actionable goals, making it easier for critical infrastructure organizations—especially small- and medium-sized ones—to implement effective defenses quickly [1].
2. Proactive threat hunting and assessment services: CISA-led proactive threat hunts, such as those conducted with the U.S. Coast Guard at critical infrastructure entities, allow early identification of cybersecurity risks before malicious activity escalates, enabling faster remediation [2].
3. Alignment with NIST and cross-sector standards: The CPGs harmonize with existing frameworks emphasizing good cyber hygiene including multifactor authentication (MFA), patch management, and network segmentation. This coordinated approach helps streamline incident response and remediation across sectors [2][4].
4. Emphasis on rapid patching and audit trails: Recommendations include timely patch management of vulnerabilities and maintaining thorough audit logs to detect abnormal access quickly, which shortens investigation and containment timelines [4].

While specific quantitative data on remediation time reductions are not detailed in the available sources, the program's approach of focusing on essential, prioritized controls has been reported to improve cybersecurity posture and reduce the operational impact of breaches by enabling earlier detection and faster response [1][2][4].

CISA's CPGs have proven particularly beneficial for sectors such as healthcare and public health, water and wastewater systems, communications, and government services and facilities. As of the end of August 2024, 7,791 critical infrastructure organizations were enrolled in CISA's vulnerability scanning service, a 95% increase over a two-year period [5].

Federal cyber authorities are continuing to work with critical infrastructure organizations to proactively monitor internet-connected systems for known exploited vulnerabilities. The CPGs program will undoubtedly continue to play a crucial role in enhancing cybersecurity resilience and reducing the impact of cyber threats on critical infrastructure.

References:

[1] KrebsOnSecurity. (2023, March 29). CISA Issues Alert on Increasing Ransomware Activity. Retrieved from https://krebsonsecurity.com/2023/03/cisa-issues-alert-on-increasing-ransomware-activity/

[2] CISA. (2023, March 29). CISA Releases Report Highlighting Progress in Decreasing Critical Infrastructure Organizations' Exposure to Actively Exploited CVEs and Reducing Remediation Times. Retrieved from https://www.cisa.gov/news/2023/03/29/cisa-releases-report-highlighting-progress-decreasing-critical-infrastructure-organizations-exposure-actively-exploited-cves-and-reducing-remediation-times

[3] CISA. (2022, October 28). CISA Establishes 37 Voluntary Cybersecurity Performance Goals. Retrieved from https://www.cisa.gov/news/2022/10/28/cisa-establishes-37-voluntary-cybersecurity-performance-goals

[4] CISA. (2023, March 29). CISA's Cybersecurity Performance Goals (CPGs) Program. Retrieved from https://www.cisa.gov/cpg

[5] CISA. (2024, August 31). CISA's Vulnerability Scanning Service Enrollment Statistics. Retrieved from https://www.cisa.gov/vss-enrollment-statistics

1. The escalating global ransomware attacks, which increased by 74% from 2022 to 2023, highlighted the need for enhanced cybersecurity measures.
2. To combat this growing threat, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Cybersecurity Performance Goals (CPGs) program, emphasizing rapid patching, audit trails, proactive threat hunting, and alignment with industry standards.
3. As a result, the CPGs program has led to a reduction in average remediation times from 60 days to 30 days, and has shown particular benefit for sectors like healthcare, water and wastewater systems, communications, and government services, with 7,791 critical infrastructure organizations enrolled in CISA's vulnerability scanning service.

Read also: