The Cybersecurity and Infrastructure Security Agency (CISA) has released version 2.0 of its Cross-Sector Cybersecurity Performance Goals (CPGs). The update offers organizations a more robust framework for integrating cybersecurity into daily operations. The updated CPGs align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, incorporates three years of operational insights, and address emerging threats through data-driven, actionable guidance. These enhancements are designed to promote accountability, improve risk management, and support strategic cybersecurity governance across sectors.
The Cross-Sector CPGs represent a targeted subset of best practices, carefully selected through extensive consultation with industry leaders, government stakeholders, and cybersecurity experts. Designed to meaningfully reduce risks to critical infrastructure and safeguard the American public, these goals offer a practical starting point for small and medium-sized organizations. By focusing on a limited set of high-impact actions, the CPGs help prioritize cybersecurity investments that deliver measurable improvements in resilience and risk reduction.
The updated goals offer expanded and clarified guidance across key cybersecurity domains—including account and device security, data protection, governance, vulnerability management, supply chain risk, and incident response and recovery. Building on the foundation of version 1.0.1, CPG 2.0 introduces several notable improvements:
- Governance Emphasis: A new “Govern” function underscores the critical role of organizational leadership in cybersecurity, regrouping existing goals and introducing two new ones focused on risk management strategy, policy development, and executive accountability.
- Unified Goal Structure: Operational Technology (OT) and Information Technology (IT) goals are now consolidated into universal goals, eliminating silos across IT, Internet of Things (IoT), and OT environments.
- Threat-Responsive Expansion: New goals address emerging threats, third-party risk, zero trust architecture, and incident communication protocols.
- Streamlined Framework: Redundant, unclear, or underutilized goals have been removed to improve clarity and usability.
- Enhanced Documentation: Each goal now includes clearer methodology and supporting materials to reduce guesswork and improve implementation.
“Over the past year, CISA has engaged extensively with hundreds of stakeholders across both the public and private sectors to ensure the updated goals reflect real-world challenges and operational realities,” said Madhu Gottumukkala, Acting CISA Director. “Version 2.0 demonstrates our commitment to listening to and incorporating partner feedback to deliver practical, outcome-driven guidance that organizations can act on. These goals are applicable across all critical infrastructure sectors and offer foundational protection for organizations regardless of their cybersecurity maturity. We encourage all organizations to adopt the new CPGs and continue sharing feedback to help us refine future iterations.”
The Cross-Sector CPGs serve three primary purposes:
- Provide measurable actions that critical infrastructure entities can take to achieve a basic level of cybersecurity.
- Bridge communication gaps between IT/OT technical staff and organizational leadership to align on cybersecurity priorities.
- Support strategic planning by offering clear guidance that informs both near- and long-term cybersecurity investments.
The original announcement can be found here.
