Development Common Baselines for Cybersecurity for Critical Infrastructure Continues
The National Institutes of Standards and Technology (NIST) and the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) are continuing to coordinate cross-sector Common Baseline goals and objectives for cybersecurity to protect critical infrastructure. This cross-sector process started in response to several high-profile cyber hacking incidents of critical infrastructure. As a result, the Biden Administration issued the 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The National Security Memorandum established a working group with the U.S. Departments of Commerce, Homeland Security, and the National Institute of Technology and Standards (NIST). The overall goal was to establish common baseline objectives and performance standards to increase cybersecurity preparedness, response, and resilience for cyber incidents.
In July 2021, U.S. Department of Homeland Security, working through CISA and NIST were tasked with developing the preliminary cybersecurity performance goals that will drive adoption of effective practices and controls. CISA and NIST identified nine categories of recommended cybersecurity practices and used these categories as the foundation for preliminary control system cybersecurity performance goals. Each of the nine goals includes specific objectives that support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives. These goals represent high-level cybersecurity best practices. They are:
Risk Management and Cybersecurity Governance
Architecture and Design
Configuration and Change Management
System and Data Integrity, Availability, and Confidentiality
Continuous Monitoring and Vulnerability Management
Training and Awareness
Incident Response and Recovery
Supply Chain Risk Management
DHS CISA and NIST have held a series of outreach meetings, which ILTA staff have attended. As the outreach process closes, the CISA and NIST Working Group has set a deadline of August 10, 2022, for submission of feedback and has asked for the Sector Risk Management Agencies (SRMA) to consolidate all input and feedback into a single submission. To allow for compilation of feedback, CISA and NIST requested that ILTA Members please submit your comments in the attached comment form to Michael Stroud, with ILTA, no later than Wednesday, August 3rd. Please let Michael Stroud know if you have any questions.