CISA’s Cybersecurity Performance Goals: A New Opportunity for Community Financial Institutions

The Cybersecurity and Infrastructure Security Agency (CISA) recently released its Cybersecurity Performance Goals (CPGs) Adoption Report, highlighting how critical infrastructure sectors benefit from implementing these voluntary measures. This milestone offers an excellent opportunity for community financial institutions to reflect on their cybersecurity strategies and consider how adopting these goals can enhance their resilience in a rapidly evolving threat landscape.

The CPGs: What You Need to Know

Introduced in October 2022, the CPGs are practical, voluntary practices designed to strengthen cybersecurity across critical infrastructure. Developed with small- and medium-sized organizations in mind, these goals provide a roadmap for prioritizing essential security measures without overwhelming limited resources.

CISA’s latest report analyzed data from over 7,700 critical infrastructure organizations participating in its Vulnerability Scanning service. Sectors like Healthcare, Water and Wastewater Systems, and Communications have seen tangible improvements thanks to their adoption of the CPGs. The common thread? Strong partnerships with CISA and proactive adoption of these frameworks.

Why Financial Institutions Should Care

As part of the nation’s critical infrastructure, financial institutions face increasing regulatory scrutiny and cyber threats. The financial sector’s reliance on trust and operational continuity makes cybersecurity a business imperative. Here’s why CPG adoption should be on your radar:

1. Proactive Risk Management: The CPGs provide actionable steps to identify and mitigate vulnerabilities, helping financial institutions stay ahead of threats.
   
   
2. Regulatory Alignment: While the CPGs are voluntary, they align with broader cybersecurity frameworks, positioning financial institutions to demonstrate compliance and readiness during examinations.
   
   
3. Cost-Effective Security Enhancements: By focusing on high-impact, achievable goals, the CPGs make it easier for smaller institutions to strengthen their cybersecurity posture without stretching resources too thin.
   
   
4. Building Resilience: Implementing the CPGs helps financial institutions bolster defenses against ransomware, phishing, and other prevalent threats, ensuring operational continuity.

The CAT Tool Sunset: A Timely Shift

The Federal Financial Institutions Examination Council (FFIEC) has announced plans to sunset the Cybersecurity Assessment Tool (CAT), a framework many financial institutions relied on to assess their cybersecurity maturity. With the CAT Tool being phased out, now is the perfect time to explore alternative frameworks—like CISA’s CPGs—to guide your cybersecurity initiatives. While the CAT focused on assessment, the CPGs emphasize actionable steps to improve security, making them a natural next step for institutions looking to evolve their approach.

Key Takeaways for Financial Institutions

1. Start with CPGs to Prioritize Security: Use the CPGs as a foundation to identify critical areas needing improvement.
   
   
2. Engage with CISA Programs: Leverage CISA resources like the Vulnerability Scanning service to strengthen your cybersecurity posture.
   
   
3. Proactive Adoption: Don’t wait for a mandate or a breach—start implementing the CPGs to mitigate risks and enhance resilience.
   
   
4. Trust and Transparency: Show regulators, customers, and stakeholders that your institution is committed to robust cybersecurity practices by aligning with recognized standards.
   
   
5. Prepare for the CAT Sunset: Transitioning from the CAT Tool to a more action-oriented framework like the CPGs can position your institution for success in the evolving cybersecurity landscape.

CISA’s CPGs are one of many tools available to help financial institutions strengthen their cybersecurity posture. While they offer a practical starting point, they work best as part of a comprehensive approach aligned with broader frameworks like the Cyber Risk Institute (CRI) Profile. By integrating the CPGs into a larger strategy, financial institutions can address their unique challenges while building a cohesive and robust cybersecurity program.

Explore the CPGs today, and consider how they complement other frameworks and tools in safeguarding your institution’s future.