CISA Issues Preliminary Cross-Sector Cybersecurity Goals and Objectives for Critical Infrastructure Control Systems

Sep 28, 2021

Reading Time : 4 min

As we noted here, the National Security Memorandum established “a voluntary initiative intended to drive collaboration between the Federal Government and the critical infrastructure community to improve cybersecurity of control systems.” It also directed DHS to “lead the development of preliminary cross-sector control system cybersecurity performance goals as well as sector-specific performance goals.” The preliminary goals were due September 22, 2021, and final cross-sector and sector-specific goals are due in July 2022. Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo described the goals and objectives as “part of a long overdue, whole-of-government effort to meet the scale and severity of the cybersecurity threats facing our country.” And while they are not mandatory or legally enforceable in their current form, Secretaries Mayorkas and Raimondo also noted that it is “vital that critical infrastructure owners and operators immediately take steps to strengthen their cybersecurity posture toward these high-level goals.”

The preliminary goals span nine categories, and each includes “specific objectives that support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives.” The “baseline” objectives “represent recommended practices for all control system operators” while the “enhanced” objectives “include practices for critical infrastructure supporting national defense; critical lifeline sectors (i.e. energy, communications, transportation, and water); or where failure of control systems could have impacts to safety.” The nine categories—the order of which CISA notes “is not intended to imply a prioritization or specific progression of operations”—are:

  1. Risk Management and Cybersecurity Governance. This includes identifying and documenting cybersecurity risks to control systems using established recommended practices and providing dedicated resources to address cybersecurity risk and resiliency.
  2. Architecture and Design. This includes integrating cybersecurity and resilience into system architecture and design in accordance with established recommended practices “for segmentation, zoning, and isolating critical systems” and regularly reviewing and updating them to include lessons learned from operating experience.
  3. Configuration and Change Management. This includes documenting and controlling “hardware and software inventory, system settings, configurations, and network traffic flows throughout control system hardware and software lifecycles.”
  4. Physical Security. This includes limiting physical access to “systems, facilities, equipment, and other infrastructure assets, including new or replacement resources in transit, . . . to authorized users” and securing against “risks associated with the physical environment.”
  5. System and Data Integrity, Availability and Confidentiality. This includes protecting “the control system and its data against corruption, compromise, or loss.”
  6. Continuous Monitoring and Vulnerability Management. This includes implementation of “continuous monitoring of control systems cybersecurity threats and vulnerabilities.”
  7. Training and Awareness. This includes training personnel “to have the fundamental knowledge and skills necessary to recognize control system cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.”
  8. Incident Response and Recovery. This includes implementation and testing of “control system response and recovery plans with clearly defined roles and responsibilities.”
  9. Supply Chain Risk Management. This includes identification of risks “associated with control system hardware, software, and managed services” and establishment of policies and procedures “to prevent the exploitation of systems through effective supply chain risk management.”

CISA also provides “Sample Evidence of Implementation” for each set of goals and objectives “to demonstrate what successful implementation . . . might entail for an organization.” In other words, “[s]uccessfully implementing all baseline objectives would equate to successful implementation of a goal.” In addition, CISA states that “while all of the goals . . . are foundational activities for effective risk management, they represent high-level cybersecurity best practices.” But “[i]mplementation of the [preliminary] goals and objectives . . . is not an exhaustive guide to all facets of an effective cybersecurity program.” Rather, CISA and NIST developed and refined the preliminary goals “with as much interagency and industry input as practical for the initial timeline using existing coordinating bodies. DHS expects to conduct much more extensive stakeholder engagement as the goals are finalized” by July 2022.

Our sense is that the extent to which incorporating such goals and objectives into a cybersecurity program would be challenging or costly will depend heavily on the characteristics of existing programs (if any) and what specific actions would be relevant and feasible for each affected entity. Indeed, there likely will be much variability from entity to entity. However, two main features of the preliminary goals and objectives stick out. First, they are clear, concise and straightforward. While implementation likely would vary across sectors and entities, they are at least well organized and easy to understand. And second, CISA provided “Sample Evidence of Implementation” notes for each goal and objective, which likely would prove highly useful in measuring and, as needed, demonstrating progress and performance going forward. With regard to next steps, it would be prudent for affected control system owners and operators in relevant critical infrastructure sectors to review the preliminary goals and objectives in detail and begin to think about any necessary adjustments to their cybersecurity programs and practices that might be necessary to meet them. Beginning this work well in advance of the final cross-sector and sector-specific goals next year could pay significant dividends over time.

Share This Insight

Previous Entries

Speaking Energy

July 8, 2026

On June 18, 2026, the Federal Energy Regulatory Commission (FERC or the Commission) issued an order to ISO New England Inc. (ISO-NE) directing ISO-NE and ISO-NE participating transmission owners to show cause as to why ISO-NE’s tariff should not be found to be unjust and unreasonable (ISO New England Inc., 195 FERC ¶ 61,215 (2026) (Order)) because it fails to sufficiently:

...

Read More

Speaking Energy

July 7, 2026

On June 29, 2026, the Supreme Court granted a petition for certiorari in Leonard Hoffmann v. WBI Energy Transmission, Inc. (Hoffmann), which presents the question whether section 7 of the Natural Gas Act (NGA) requires pipeline companies using federal eminent domain authority to pay landowners’ attorney’s fees in states where landowners can recover those fees under state law. In the decision giving rise to the Supreme Court’s review, the U.S. Court of Appeals for the Eighth Circuit held that a group of ranchers were not entitled to recover their $383,300 in attorney’s fees incurred while negotiating their compensation—creating a circuit split with four other courts of appeals. Hoffmann will be heard during the Court’s October 2026 Term, and marks the second time in five years that the Court has agreed to interpret NGA section 7.

...

Read More

Speaking Energy

July 6, 2026

On June 29, 2026, the United States Supreme Court issued Trump v. Slaughter, fundamentally reshaping presidential removal authority over independent regulatory agencies. The decision overruled a 90-year-old precedent established in Humphrey’s Executor v. United States, which had upheld the constitutionality of commissioner removal protections in the Federal Trade Commission Act (FTC Act). As written, the FTC Act permits a commissioner’s removal “only for inefficiency, neglect of duty, or malfeasance in office.” In Slaughter, the Court was asked to reevaluate this standard following the President’s removal of a Democratic-appointed FTC commissioner from office in 2025 without cause. Finding for the President, the Court held that removal was permissible because the FTC Act’s for-cause removal protections for commissioners violate the separation of powers, specifically, the President’s removal power under Article II. The Court explained that the FTC exercises executive power because it promulgates binding rules, investigates and enforces those rules through administrative adjudications, and brings civil enforcement actions in federal court. It found that because it exercises these executive powers, its commissioners “must therefore be controlled by the Chief Executive, in whom such power is vested.” While previous recent cases addressing the scope of the Removal Power, Seila Law LLC v. Consumer Financial Protection Bureau and Collins v. Yellen purported to preserve some kernel of Humphrey’s, the Court made clear that “[i]f anything more is left of Humphrey’s, we overrule it.”

...

Read More

Speaking Energy

June 25, 2026

On June 18, 2026, the Federal Energy Regulatory Commission (FERC or the Commission) issued an order to the California Independent System Operator Corporation (CAISO) directing CAISO and CAISO transmission owners to show cause as to why CAISO’s tariff should not be found to be unjust and unreasonable (California Indep. Sys. Operator Corp., 195 FERC ¶ 61,214 (2026) (the Order)) because it fails to sufficiently:

...

Read More

© 2026 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.