What are CPGs and Why is Everyone talking about them?

December 1st, 2023
What are CPGs and Why is Everyone talking about them?

Have you ever started looking into a complex topic, and been overwhelmed by all the details of what is involved? Not only is it hard to understand, but implementing everything can be mind-boggling. Most people have this reaction to the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF). While the NIST CSF provides important information about protecting your district from Cyber Attacks, it can be daunting to understand, much less implement. That is why CISA (Cybersecurity and Infrastructure Security Agency) created Cross-Sector Cybersecurity Performance Goals (CPGs).

In the August 2023 CISA bulletin “K-12 Digital Infrastructure Brief: Defensible and Resilient” they define CPGs this way:

“CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), released in October 2022 and updated in March 2023, can help schools prioritize limited resources. The CPGs are a user-friendly set of cybersecurity best practices aligned to the NIST CSF that any school district or state agency technology leader can pick up and start using today. Several of the highest-impact goals are highlighted below.”

CISA identified the six highest priority CPGs in their January Bulletin. In their August bulletin, they included many of those six and added more as the next step to take when the first six were implemented. Today I will start with a reminder of what those six highest-priority CPGs were.

  • Implement multifactor authentication (MFA) (CPG 2. H
  • Fix known security flaws (aka patching) (CPG 1. E)
  • Perform and test backups (CPG 2. R)
  • Minimize exposure to common attacks (CPG 2. Q and 2. W)
  • Develop and exercise an incident response plan (CPG 2.S)
  • Implement a strong cybersecurity training program (CPG 2. I)

This week’s suggestion:

  • How many of the items above have you implemented? If you haven’t implemented all of them, have you made a plan to do so?

Still feeling overwhelmed by the NIST Cybersecurity Framework and CPGs? Call CSI and ask how we can help you understand them and help mitigate your Cyber risk. We have a specific service to help you get started on the NIST CSF journey. Just contact Lisa MacDougall (lmacdougall@csiny.com) or 845.897.9480.