The agency contributed to the release of security requirements for the transportation sector this week and is expected to issue cross-sector performance goals for critical infrastructure companies’ voluntary adoption next week.
Over the coming year, the Cybersecurity and Infrastructure Security Agency plans to concentrate more of its attention on critical infrastructure sectors that adversaries target due to the essential services they provide but which don’t have the assets to defend themselves, according to Director Jen Easterly.
The agency will dedicate more of its resources to helping “specifically, water, hospitals and K-12 schools,” prepare for and respond to cyberattacks, Easterly said Thursday at a conference hosted by cybersecurity firm Mandiant.
In the wake of recent school shootings and a ransomware attack on the Los Angeles Unified School District, the agency recently announced a national summit on K-12 school safety and security planned for the start of next month.
“What we call the target-rich, resource-poor entities … all of those things are part of critical infrastructure, but they don't have large security teams; they're not investing millions and billions of dollars like some in finance and energy are,” Easterly said. “And so we have to figure out how to connect all of these entities together in a way that we can get information that is useful to them, that is tailored to their ability to understand it and absorb it, and then to drive down risks to all of our national critical functions.”
To that end, Easterly said CISA will be releasing performance goals next week, which will help to guide entities toward specific actions they can take to improve their security posture. CISA worked with the National Institute of Standards and Technology in distilling the goals down from about 100 security measures described in NIST’s Cybersecurity Framework.
The NIST CSF “is a great comprehensive guide to how you put in place a risk management program, and if you're a big business, you can align yourself—with your big security team—to the NIST cybersecurity framework,” Easterly said. “But if you're a small and medium business, you don't have the resources to be able to implement everything across that framework. And so what we did is work with NIST to determine the most high impact, high-risk areas. And there's really 35 of them. That was the starting cross-sector baseline for performance, those high impact high risk areas, where you can put controls in place to drive down risk.”
The performance goals emerged from a White House national security memo aiming to drive their voluntary adoption within industry as the default standard of due diligence, particularly for areas where regulatory authority is missing or unclear. In other areas, such as the transportation sector, the administration is continuing to update cybersecurity mandates for private industry.
On Wednesday, the Transportation Security Administration issued a detailed directive for designated passenger, freight and rail carriers that the agency said “focuses on performance-based measures to achieve critical cybersecurity outcomes,” suggesting there’s enough room for entities to decide how they want to achieve the desired results.
The directive will remain in effect through Oct. 24, 2023. In the meantime, TSA says the agency also plans to undertake a rulemaking process in establishing regulations for the rail sector that will include a public comment period.