What are the CPGs?

The CISA Cybersecurity Performance Goals (CPGs) provide a practical framework for resource-starved critical infrastructure entities to establish an initial cybersecurity program. The objective is to establish a “floor” of acceptable cybersecurity for critical infrastructure operators that we can improve as we mature.

References

CISA Cross-sector Cybersecurity Performance Goals

CPG Checklist - Excel

<aside> 💡 This template is based on the CPG checklist v1.0.1 retrieved from the CISA website on June 6, 2024 and is the most current as of the last update to this template.

Additionally, this is the core CPG template and does not consider sector specific templates at this time, but we will release future versions that do. Examples include energy, healthcare, and others.

</aside>

How do I use the CPG Template?

You can use this template as a guide to implement the CPGs in your organization for zero ($0) capital costs. Yes, you heard that correctly. This template assumes $0 capital budget and uses open-source tools to accomplish this. But you will need some friends to help with the work. Our objective is to make this easy for you.

Getting Started

• CPG Template Version History (v0.1.4)

1. Perform a Risk Assessment using CSET or your preferred tool.
2. Make an inventory of your resources and get management support for your project
3. Create a project plan using our checklist
4. Implement tools and explore resources
5. Get secure!

What is DefendICS?

“People, Process, Technology, there’s a reason People come first”

DefendICS is a non-profit organization dedicated to the mission of equipping asset owners and operators with the skills and knowledge they need to secure critical infrastructure.

Introduction to CPG Template

https://youtu.be/_09WIV36zGA

This video is a bit of an Inception effect in that it describes the template you are looking at now. If you’d like a walkthrough on how to use this template, check out the link above. If you like what you see here, or have suggestions for improvements, please get in touch with the DefendICS team. Thanks!

CISA Cyber Security Evaluation Tool

https://www.youtube.com/watch?v=TCiLJZdv1zA

The CSET tool can be used to perform security assessments against a variety of frameworks, including the CISA CPGs. CISA provides an excellent training course on both the CPGs as well as how to use CSET to perform assessments at Cybersecurity Performance Goals (CPG) Assessment Training

CPG Objectives

Operational Support

<aside> ℹ️ See below for the following assumptions about your environment.

</aside>

• Running a Windows Active Directory domain, with Windows desktops for most users.
• Organization uses Office or M365. There are no commercial cybersecurity products except for what comes with Windows OS.
• Native Windows and Active Directory capabilities will be prioritized, but careful considerations to AD design should include appropriate architecture such as separate AD domains for IT and OT and one-way trusts.
• All OSS builds unless otherwise stated are built on a minimal Ubuntu 24.04 LTS OS
• When feasible, application deployment will utilize Docker and Docker Compose.
• Base Build instructions can be found at Ubuntu 24.04 Build

This template relies heavily on human labor to perform the work. This can come from internal resources, CISA, contractors and other 3rd parties. Much of this work can be performed by non-security resources, so don’t worry if you don’t have a large cybersecurity group.

Other Resources

CISA Services Support

CISA CSET Tool

• CISA Services
• CISA Resources
• Other Resources

Resource Inventory Views

• Open Source Tools List (expand to view)

• Resource Planning - Labor Calculator (expand to view)