Skip to main content
> CISA CPGs

CISA Cross-Sector Cybersecurity Performance Goals

Baseline cybersecurity practices for critical infrastructure operators

Governing Body: Cybersecurity and Infrastructure Security Agency (CISA)
Established: October 2022 Last Updated: December 2025 (v2.0) Scope: All Critical Infrastructure Sectors
6
CSF 2.0 Functions

// What is CISA CPGs?

The Cross-Sector Cybersecurity Performance Goals (CPGs) are a prioritized subset of IT and operational technology (OT) cybersecurity practices that CISA recommends all critical infrastructure organizations implement. Unlike prescriptive regulations, CPGs are voluntary baseline goals designed to meaningfully reduce risk to both critical infrastructure operations and the American people.

CPGs were developed with industry partners and are informed by the most common threats and TTPs that CISA observes. They provide a common set of fundamental protections that apply across all 16 critical infrastructure sectors, from energy and water to healthcare and transportation. CISA released CPG version 2.0 in December 2025, realigning the goals to the six functions of the NIST Cybersecurity Framework (CSF) 2.0, adding a Govern function, and folding former OT-only goals into shared goals that cover IT and OT together.

While voluntary, CPGs increasingly serve as the baseline expectation for cybersecurity maturity. Insurance carriers, regulators, and sector-specific agencies reference CPGs when evaluating organizational security posture. CISA is explicit that the CPGs are a floor, not a ceiling: they are a minimum set of practices, not a full risk management program, and organizations should build on them with a broader framework like the NIST CSF.

Updated for CPG 2.0 · December 2025

CISA released Cross-Sector Cybersecurity Performance Goals version 2.0 in December 2025. It realigns the CPGs to NIST CSF 2.0, incorporates three years of operational feedback, and adds goals for emerging threats. The main changes from version 1.0.1:

  • New Govern function

    The CPGs now map to all six NIST CSF 2.0 functions. A new Govern function regroups leadership accountability, oversight, incident response planning, and supply-chain and service-provider risk into one place, mirroring CSF 2.0's emphasis on governance.

  • Universal IT and OT goals

    Former OT-only goals were merged into shared goals that address IT and OT together. Small and medium-sized operators can now apply one framework across the whole estate instead of reading across separate domain-specific goals.

  • Four new goals

    Manage Cybersecurity Oversight (1.B), Manage Risks from Managed Service Providers (1.E), Implement the Principles of Least Privilege (3.H), and Establish Incident Communication Procedures (5.A) were added to address program evolution, third-party access, and crisis coordination.

  • Three goals retired

    Standalone goals for security.txt deployment, detecting relevant TTPs, and vendor security requirements were folded into broader goals. Their outcomes are preserved, not dropped.

  • Reworked prioritization ratings

    Each goal now carries Cost, Impact, and Ease of Implementation ratings, with Ease of Implementation replacing the old Complexity rating and defined scoring logic for more consistent self-assessment.

// Inside the Regulation

CPG 2.0 organizes its goals under the six functions of the NIST Cybersecurity Framework 2.0. Each goal defines an outcome, the risk it reduces, and recommended actions for both IT and OT environments.

1

Govern

Function 1 · GOVERN

Leadership accountability, oversight, and risk management that make cybersecurity part of how the organization runs.

1.A Establish Cybersecurity Responsibilities

Document and assign cybersecurity roles, responsibilities, and authorities across the organization and its external partners.

1.B Manage Cybersecurity Oversight (new in 2.0)

Set and review, at least annually, the risk management strategy, expectations, and policies that govern the security program.

1.C Maintain Incident Response Plans

Develop, maintain, and regularly exercise IR plans, including OT-specific safety and containment considerations.

1.D Supply Chain Incident Reporting & Vulnerability Disclosure

Require vendors and service providers to report incidents and vulnerabilities within a risk-informed timeframe.

1.E Manage Risks from Managed Service Providers (new in 2.0)

Identify, monitor, and contractually address the risks posed by MSPs with deep access to IT or OT systems.

2

Identify

Function 2 · IDENTIFY

Knowing what you have and where the weaknesses are.

2.A Manage Organizational Assets

Maintain a current inventory of all assets: data, hardware, software, systems, facilities, and personnel.

2.B Mitigate Known Vulnerabilities

Run a vulnerability management program that patches or mitigates known-exploited and misconfigured software in a timely manner.

2.C Obtain Independent Validation of Cybersecurity Controls

Engage third parties to validate controls through penetration tests, bug bounties, and exercises, and address the findings.

2.D Maintain Vulnerability Disclosure/Reporting Process

Publish a discoverable way to report vulnerabilities, with safe-harbor protections for good-faith reporters.

2.E Document Network Topology

Keep accurate documentation of IT and OT network topology, reviewed annually and whenever the network changes.

3

Protect

Function 3 · PROTECT

The safeguards that limit the likelihood and impact of an intrusion across IT and OT.

3.A Change Default Passwords

Change default manufacturer passwords on all IT and OT assets before connecting them to any network.

3.B Establish Minimum Password Strength

Enforce a system-wide minimum password length of 16 or more characters wherever technically feasible.

3.C Create Unique Credentials

Use unique credentials for each user and service; eliminate shared and universal non-person-entity passwords.

3.D Revoke Credentials for Departing Staff

Enforce an offboarding process that revokes access promptly and disables inactive accounts.

3.E Monitor Unsuccessful (Automated) Login Attempts

Log and alert on repeated failed logins that indicate automated, credential-based attacks.

3.F Implement Multifactor Authentication (MFA)

Require MFA using the strongest available method, prioritizing phishing-resistant MFA for privileged and remote access.

3.G Administrators Maintain Separate User and Privileged Accounts

Keep admin and everyday accounts separate, and re-evaluate privileges on a recurring basis.

3.H Implement the Principles of Least Privilege (new in 2.0)

Operate all accounts, roles, and processes with the minimum privileges needed, with quarterly access reviews.

3.I Implement Logical/Physical Network Segmentation

Segment networks to contain breaches and limit lateral movement; physically segment OT enclaves where applicable.

3.J Implement Cybersecurity Training

Provide initial and at least annual security training, with role-based and OT-specific training where relevant.

3.K Utilize Strong Encryption

Encrypt sensitive data at rest and in transit using approved cryptography, including stored credentials.

3.L Enable Email Security

Enable STARTTLS, SPF, and DKIM, and set DMARC to reject across all corporate email infrastructure.

3.M Disable Autorun & Macros by Default

Disable Office macros and autorun/autoplay by default on all assets, enabling only by exception.

3.N Establish Change Management Processes

Maintain documented, secure change management and configuration control, testing changes before deployment.

3.O Maintain System Backups & Restoration Ability

Keep offline, tested backups and validated restoration procedures for systems needed to operate.

3.P Maintain Hardware & Software Approval Process

Review, test, and approve hardware, firmware, and software against an approved-products list before deployment.

3.Q Maintain Log Collection & Storage

Collect security logs centrally in tamper-resistant storage, and alert when a critical log function is disabled.

3.R Prohibit Connection of Unauthorized Devices

Prevent unauthorized USB and removable media from connecting to IT and OT assets.

3.S Secure Internet-Facing Devices

Minimize internet-facing assets and never expose network management interfaces to the public internet.

4

Detect

Function 4 · DETECT

Spotting malicious activity early, in both IT and OT.

4.A Establish Malicious Code Detection

Deploy signature and behavior-based malware detection on endpoints, with OT-appropriate testing and compatibility practices.

4.B Identify Adverse Events

Define clear criteria and processes to identify and escalate adverse security events, including OT-specific anomalies.

5

Respond

Function 5 · RESPOND

Coordinating and reporting once an incident is underway.

5.A Establish Incident Communication Procedures (new in 2.0)

Plan internal and external crisis communications with response teams, partners, suppliers, and leadership.

5.B Establish Incident Reporting Procedures

Report confirmed incidents to CISA and other required parties within applicable regulatory timeframes.

6

Recover

Function 6 · RECOVER

Restoring service and learning from the incident.

6.A Execute Incident Recovery Plan

Recover and restore mission-critical services, then run post-incident analysis to refine the response plan.

Note: CPGs are designed to be achievable with modest cost and complexity. CISA publishes a CPG Checklist and a CPG 2.0 assessment module in its free Cyber Security Evaluation Tool (CSET) to help organizations self-assess, prioritize by cost and impact, and track progress. CISA revises the CPGs on a 24 to 36 month cycle. Start with the highest-impact goals for your threat environment and work toward full implementation.

// Who Must Comply

  • 1 Electric utilities and grid operators
  • 2 Water and wastewater systems
  • 3 Oil and natural gas pipelines
  • 4 Manufacturing facilities
  • 5 Transportation systems
  • 6 Healthcare delivery organizations
  • 7 Financial services firms
  • 8 Any organization providing critical services

// Key Requirements

Govern

Establish cybersecurity leadership and accountability, oversight, incident response plans, and supply-chain and MSP risk management

Identify

Inventory assets, mitigate known vulnerabilities, validate controls independently, and document network topology

Protect

Account security, MFA, least privilege, segmentation, encryption, backups, and hardening across IT and OT

Detect

Deploy malicious code detection and define clear criteria for identifying adverse security events

Respond

Incident communication and reporting procedures for internal teams, partners, suppliers, and CISA

Recover

Execute and refine recovery plans to restore mission-critical services after an incident

// Enforcement & Penalties

CPGs are voluntary guidelines without direct enforcement penalties. However, failure to implement baseline security practices can result in regulatory action under sector-specific rules, cyber insurance claim denials, and significant liability exposure following a breach.

Examples:

  • Regulatory scrutiny if breach reveals CPG gaps
  • Insurance coverage disputes for claims after preventable incidents
  • Sector-specific enforcement (NERC CIP, TSA directives) for regulated entities
  • Civil liability in breach litigation where industry standards weren't met

// Cyber Insurance Impact

Cyber insurers increasingly reference CPGs as baseline expectations for critical infrastructure operators. Applications may ask specifically about CPG implementation, and policies may include rate reductions for demonstrated CPG compliance. Failing to meet CPG baselines could affect coverage availability and pricing.

// How Breach Craft Helps

We help organizations achieve CISA CPGs compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of CISA CPGs.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Vulnerability Assessment

Thorough security scanning and risk prioritization.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Tabletop Exercises

Practice your incident response.

Learn more

// Related Frameworks

NIST CSF NERC CIP ISO 27001 CIS Controls

// Industries That Need CISA CPGs

These industries commonly require CISA CPGs compliance as part of their regulatory obligations.

K-12 Education Manufacturing Utilities

CISA CPGs Case Studies

Anonymized engagements where CISA CPGs was the controlling framework. Published with client permission.

Full IT Compromise, Contained by Segmentation
Water & Wastewater Utilities via MSSP Partner

Full IT Compromise, Contained by Segmentation

An external and internal pentest for a US municipal water utility, delivered through an MSSP partner. We reached full IT domain compromise, and the OT network held.

Read Case Study
CISA CPG 2.0 Across a National Water Utility
Water & Wastewater Utilities via MSP Partner

CISA CPG 2.0 Across a National Water Utility

Per-PWSID CISA CPG 2.0 gap assessments for a national water utility, delivered through an MSP partner with scoped assessments and prioritized roadmaps.

Read Case Study
All case studies

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873