- The Cross-Sector Cybersecurity Performance Goals (CPGs) provide a prioritized, baseline set of cybersecurity practices for both IT and OT systems across all critical infrastructure sectors
- CPGs are designed to be accessible, practical, and scalable for organizations of all sizes, particularly those with limited resources or cybersecurity maturity
- While not mandatory, the CPGs align with the NIST Cybersecurity Framework and are intended to drive measurable risk reduction through voluntary adoption
In response to growing cyber threats across the U.S. critical infrastructure landscape, the Cybersecurity and Infrastructure Security Agency (CISA) introduced the Cross-Sector Cybersecurity Performance Goals (CPGs). These goals are a practical, risk-based subset of both IT and operational technology (OT) cybersecurity practices developed in collaboration with industry and government partners. They aim to help organizations—especially small and medium-sized entities—prioritize and implement the most impactful security measures in a way that is clear, measurable, and easy to communicate to non-technical stakeholders. The CPGs are not meant to replace broader frameworks like NIST CSF but serve as a quick-start guide and foundational layer for building stronger cybersecurity programs.
CISA’s rationale for developing the CPGs is rooted in real-world observations. Despite widespread access to existing cybersecurity standards, many organizations struggle with implementation. Key challenges include inconsistent security practices across sectors, under-resourced OT environments, and widespread neglect of fundamental protections like multi-factor authentication, asset inventories, and vulnerability management. The CPGs are therefore intended to serve as a minimum floor of protection, designed to reduce the risk of common threats such as ransomware, phishing, supply chain compromises, and remote access exploitation.
Each CPG includes clearly defined outcomes, associated risks or adversary tactics (based on the MITRE ATT&CK framework), specific security practices, and scope of implementation. Supporting materials like the CPG Worksheet and Data Matrix help organizations assess their current cybersecurity posture, prioritize gaps, and advocate for investments in security initiatives. The March 2023 update enhanced alignment with the NIST CSF functions—Identify, Protect, Detect, Respond, and Recover—and incorporated feedback to improve guidance on phishing-resistant MFA, OT-specific recovery planning, and better sector-specific adaptability.
CISA emphasizes that the CPGs are voluntary, not a maturity model, and do not offer a comprehensive cybersecurity solution on their own. Instead, they are tools to help organizations move toward a stronger security posture with realistic steps and achievable goals. By providing low-barrier entry points and a structured approach to prioritization, the CPGs aim to reduce national cyber risk and ensure that critical infrastructure can withstand, respond to, and recover from increasingly complex cyber threats. Regular updates to the goals will keep them responsive to evolving risks and technologies.
Leave a Reply
You must be logged in to post a comment.