CISA outlines cyber fixes critical infrastructure can afford to fix

• Alongside the goals, CISA published a checklist measuring how much it will cost to implement each solution, the estimated impact of resolving each issue, and the complexity of the task.

Why it matters: Critical infrastructure operators like schools, water systems and hospitals often lack the financial and time investments needed to properly defend their networks against hackers.

• The checklist helps them cut through the noise and focus on what's possible.

What they're saying: "A small or medium business, a local water utility, a K-12 school district can say, 'We're budget-constrained, and this quarter we can only do the highest-impact and low-cost activities,'" said Eric Goldstein, executive assistant director for cybersecurity at CISA, in a press call.

• "Well, now they can look at this checklist and say, 'OK, we know where to start and we can undertake these activities,'" he added.

Threat level: 63% of those working at critical infrastructure companies said in a survey from Nozomi Networks and the SANS Institute released today that the cybersecurity risks they face are either "severe and critical" or "high."

• High-profile incidents like last year's Colonial Pipeline ransomware attack made tackling critical infrastructure cybersecurity a top Biden administration priority.

What's next: CISA Director Jen Easterly told reporters that the agency is planning to work on sector-specific cyber performance goals in the "coming months."

Sign up for Axios’ cybersecurity newsletter Codebook here.