Hi All, CISA just published the Cybersecurity Performance Goals Adoption Report
The Cybersecurity and Infrastructure Security Agency (CISA) defines Cross-Sector Cybersecurity Performance Goals (CPGs) as a subset of cybersecurity practices selected through a thorough process of industry, government, and expert consultation aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. Although CPGs are voluntary in nature, they aim to help organizations develop and enhance their investment in cybersecurity efforts. CISA's CPGs have been organized to align to the National Institute of Standards and Technology's (NIST's) Cybersecurity Framework 1.0 (CSF 1.0)'s five main functions: identify, protect, detect, respond and recover. CISA's initiatives and programs are driving service enrollments and CPG adoption across critical infrastructure sectors with the strongest impact seen in Healthcare and Public Health, Water and Wastewater Systems, Communications, and Government Services and Facilities sectors.
Key Findings:
• Exploitable services routinely monitored by CISA Vulnerability Scanning have been steadily decreasing from 12 services per enrollee in August 2022 to about eight services per enrollee in August 2024 (Figure 13).
• Across the period of analysis, remediation times for Secure Sockets Layer (SSL) vulnerability and known exploited vulnerability (KEV) tickets decreased by 50% for critical-severity KEVs and by 25% for high-severity KEVs (Figures 4 and 5).
• In August 2022, SSL vulnerability-related tickets were resolved in about 200 days. During the later months, resolution time decreased to under 50 days (Figure 7).
• As of Aug. 31, 2024, CISA observed the highest occurrence of operation technology (OT) protocols exposed to the public internet within the Government Services and Facilities sector at 63% exposure (Table 2).
Organizations should remain up to date on cybersecurity hygiene and best practices to protect against adversary threats related to gaps in network infrastructure. Internet-facing exposed services and assets should remain a priority for remediation in conjunction with the above key findings. CISA also encourages sector entities to review NIST Special Publication (SP) 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations and the NIST Cybersecurity Framework for additional best practices.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------