Biden administration unveils cybersecurity goals for critical infrastructure operators

The Homeland Security Department on Thursday unveiled new benchmarks for critical infrastructure operators to strengthen their cybersecurity defenses, the Biden administration’s latest attempt to convince companies to voluntarily adopt better safeguards.

The cybersecurity performance goals — developed by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) — lays out the security steps the government expects all critical infrastructure entities to undertake but does not regulate them, which could ultimately blunt their impact.

“These are really, I think, a watershed moment in providing an easy, accessible, prioritized menu of options for businesses to advance their cybersecurity in an increasingly threatening environment,” Homeland Security Secretary Alejandro Mayorkas said on a press call.

He added the suggested steps are identified according to the cost associated with each action, their overall complexity and the “magnitude of the impact that the goal’s implementation would have on advancing one’s cybersecurity.”

The goals and their accompanying checklist — broken up into different areas, such as device and data security, vulnerability management and recovery and developing an incident response plan — recommends common tactics that the administration’s top cyber officials have urged in the past, including implementing multi-factor authentication, strong password management and asset inventory.

CISA Director Jen Easterly said the goals could be thought of as a “quick-start guide” and might be particularly helpful to “small and medium businesses, especially those in the supply chain” of major corporations that already follow the security measures described in NIST’s Cybersecurity Framework, as well as “target rich, resource poor entities'' like water utilities, school districts and hospitals.

President Joe Biden signed a national security memorandum last year that called for the goals after a series of ransomware attacks disrupted the nation's fuel supplies and food distribution.

Easterly noted her organization created a GitHub page to receive feedback on the new metrics and would work with individual critical infrastructure operators in the coming months to create sector-specific performance goals.

Eric Goldstein, executive assistant director for cybersecurity at CISA, said the agency would use the goals to “really get out there and talk to organizations across the country and, frankly, evangelize the most important steps to take.”

"We are really excited for these performance goals to be a living document," he told reporters, adding the goals would be updated every six to 12 months.