CISA outlines cyber fixes critical infrastructure can afford to fix

A set of new cybersecurity guidelines from the Cybersecurity and Infrastructure Security Agency (CISA) gives critical infrastructure operators details about what security issues they can afford to fix while operating on tight budgets and little staff.

Driving the news: CISA unveiled a highly anticipated list of voluntary "cybersecurity performance goals" on Thursday detailing what security practices critical infrastructure operators should follow — such as implementing multifactor authentication or changing default passwords on purchased technologies.

• Alongside the goals, CISA published a checklist measuring how much it will cost to implement each solution, the estimated impact of resolving each issue, and the complexity of the task.

Why it matters: Critical infrastructure operators like schools, water systems and hospitals often lack the financial and time investments needed to properly defend their networks against hackers.

• The checklist helps them cut through the noise and focus on what's possible.

What they're saying: "A small or medium business, a local water utility, a K-12 school district can say, 'We're budget-constrained, and this quarter we can only do the highest-impact and low-cost activities,'" said Eric Goldstein, executive assistant director for cybersecurity at CISA, in a press call.

• "Well, now they can look at this checklist and say, 'OK, we know where to start and we can undertake these activities,'" he added.

Threat level: 63% of those working at critical infrastructure companies said in a survey from Nozomi Networks and the SANS Institute released today that the cybersecurity risks they face are either "severe and critical" or "high."

• High-profile incidents like last year's Colonial Pipeline ransomware attack made tackling critical infrastructure cybersecurity a top Biden administration priority.

What's next: CISA Director Jen Easterly told reporters that the agency is planning to work on sector-specific cyber performance goals in the "coming months."

Sign up for Axios’ cybersecurity newsletter Codebook here.