CISA Cross-Sector Cybersecurity Performance Goals
Baseline cybersecurity practices for critical infrastructure operators
// What is CISA CPGs?
The Cross-Sector Cybersecurity Performance Goals (CPGs) are a prioritized subset of IT and OT cybersecurity practices that CISA recommends all critical infrastructure organizations implement. Unlike prescriptive regulations, CPGs are voluntary baseline goals designed to meaningfully reduce risk to both critical infrastructure operations and the American people.
CPGs were developed in collaboration with industry partners and are informed by the most common threats and TTPs observed by CISA and its partners. They provide a common set of fundamental protections that apply across all 16 critical infrastructure sectors, from energy and water to healthcare and transportation.
While voluntary, CPGs increasingly serve as the baseline expectation for cybersecurity maturity. Insurance carriers, regulators, and sector-specific agencies reference CPGs when evaluating organizational security posture. Organizations should view CPGs as the minimum floor—not the ceiling—for their cybersecurity program.
// Inside the Regulation
CPGs are organized into eight categories of cybersecurity practices. Each goal specifies the practice, why it matters, and recommended actions for implementation.
Account Security
Foundational controls for managing user accounts and credentials.
Default Password Changes
Change default passwords on all assets before deployment, including OT/ICS devices.
Minimum Password Strength
Require minimum 15-character passwords for accounts not using MFA, 8-character for MFA-enabled accounts.
Unique Credentials
Use unique credentials for each user. Eliminate shared accounts where possible.
Separating User and Admin Accounts
Administrators should use separate accounts for privileged and non-privileged tasks.
Phishing-Resistant MFA
Implement phishing-resistant MFA (FIDO2/WebAuthn) for all externally-exposed and privileged accounts.
Device Security
Practices for securing endpoints, servers, and OT devices.
Hardware and Software Inventory
Maintain an accurate inventory of all hardware and software assets including OT devices.
Disable Macros by Default
Disable Office macros by default; enable only when required for business need with compensating controls.
Asset Security Configuration
Apply CIS Benchmarks or vendor-recommended security configurations to all assets.
No Known Exploited Vulnerabilities
Prioritize remediation of CISA Known Exploited Vulnerabilities (KEV) catalog entries.
Endpoint Detection and Response
Deploy EDR solutions on all enterprise endpoints with automated threat detection and response.
Data Security
Protecting organizational data through encryption and logging.
Log Collection
Collect and retain logs from all critical systems including authentication, network, and application logs.
Secure Log Storage
Store logs in a centralized, tamper-resistant location with at least 90 days online retention.
Encryption at Rest
Encrypt sensitive data at rest using approved cryptographic standards.
Encryption in Transit
Use TLS 1.2+ for all data in transit. Disable legacy protocols (SSL, TLS 1.0/1.1).
Governance and Training
Organizational practices for security leadership and awareness.
Organizational Cybersecurity Leadership
Designate a single individual responsible for cybersecurity with authority and resources.
OT Cybersecurity Leadership
For OT environments, designate OT-specific security leadership with appropriate expertise.
Basic Cybersecurity Training
Provide annual cybersecurity awareness training for all employees covering phishing, social engineering, and safe practices.
OT Cybersecurity Training
Provide specialized OT security training for personnel managing industrial control systems.
Network Security
Segmentation and boundary protection for IT and OT networks.
Network Segmentation
Segment networks to limit lateral movement. Separate IT and OT networks at minimum.
Detect Relevant Threats
Monitor network traffic for indicators of compromise and anomalous behavior.
Network Traffic Filtering
Filter and inspect network traffic at boundaries using firewalls and IDS/IPS.
No Internet Exposure of OT
OT assets should not be directly accessible from the internet without strong compensating controls.
Vulnerability Management
Identifying and remediating security weaknesses.
Vulnerability Disclosure
Publish a vulnerability disclosure policy and maintain a reporting mechanism.
Vulnerability Scanning
Conduct regular vulnerability scanning of all internet-facing and internal assets.
Third-Party Validation
Conduct periodic third-party penetration testing of critical systems and applications.
Supply Chain/Third Party
Managing risks from vendors and service providers.
Vendor/Supplier Security Requirements
Include cybersecurity requirements in vendor contracts and assess vendor security practices.
Supply Chain Incident Reporting
Require vendors to report security incidents that may affect your organization.
Response and Recovery
Preparing for and recovering from cybersecurity incidents.
Incident Reporting
Report significant cyber incidents to CISA within 72 hours per CIRCIA requirements.
Incident Response Plan
Maintain and test an incident response plan covering detection, containment, eradication, and recovery.
System Backup and Recovery
Maintain offline, tested backups of critical systems with ability to restore within business-defined RTOs.
Note: CPGs are designed to be achievable with modest cost and complexity. CISA provides implementation guidance, self-assessment tools, and technical assistance to help organizations achieve these goals. Start with the highest-impact goals based on your threat environment and work toward full implementation.
// Who Must Comply
- 1 Electric utilities and grid operators
- 2 Water and wastewater systems
- 3 Oil and natural gas pipelines
- 4 Manufacturing facilities
- 5 Transportation systems
- 6 Healthcare delivery organizations
- 7 Financial services firms
- 8 Any organization providing critical services
// Key Requirements
Account Security
Implement MFA, unique credentials, and proper password management across all accounts
Device Security
Maintain asset inventory, apply security configurations, and deploy endpoint protection
Data Security
Collect and protect logs, encrypt data at rest and in transit
Network Segmentation
Segment IT/OT networks, filter traffic, and prevent direct internet exposure of OT
Vulnerability Management
Regular scanning, KEV prioritization, and third-party penetration testing
Response and Recovery
Incident response plans, CISA reporting, and tested backup/recovery procedures
// Enforcement & Penalties
CPGs are voluntary guidelines without direct enforcement penalties. However, failure to implement baseline security practices can result in regulatory action under sector-specific rules, cyber insurance claim denials, and significant liability exposure following a breach.
Examples:
- Regulatory scrutiny if breach reveals CPG gaps
- Insurance coverage disputes for claims after preventable incidents
- Sector-specific enforcement (NERC CIP, TSA directives) for regulated entities
- Civil liability in breach litigation where industry standards weren't met
// Cyber Insurance Impact
Cyber insurers increasingly reference CPGs as baseline expectations for critical infrastructure operators. Applications may ask specifically about CPG implementation, and policies may include rate reductions for demonstrated CPG compliance. Failing to meet CPG baselines could affect coverage availability and pricing.
// How Breach Craft Helps
We help organizations achieve CISA CPGs compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of CISA CPGs.
Gap Assessment
Measure your security against industry standards.
Penetration Testing
Find the gaps before attackers do.
Vulnerability Assessment
Comprehensive security scanning and risk prioritization.
Virtual CISO
Executive security leadership on demand.
Tabletop Exercises
Practice your incident response.
// Related Frameworks
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873