CISA CPG 2.0 Across a National Water Utility

The Challenge

A mid-sized IT services firm serves a national water utility as their managed IT provider. The utility operates across many geographically distinct Public Water System IDs (PWSIDs), each with its own infrastructure, operational technology environment, staffing model, and risk profile. When CISA published the Cybersecurity Performance Goals (CPGs) 2.0, the utility’s leadership asked a direct question through their MSP: where does each of our sites stand, and what should we fix first?

A single enterprise-wide audit would have flattened real and important variation. A small rural treatment facility with a handful of operators does not have the same exposure, vendor footprint, or control maturity as a large metropolitan site serving hundreds of thousands of customers. Rolling all of that into one gap report would have produced generic recommendations nobody could act on at the local level. The MSP needed per-site results their utility client could hand to a specific site manager with clear next steps.

The MSP’s internal team had strong operational IT capability but did not have deep CISA CPG expertise or the bandwidth to build a repeatable assessment methodology from scratch. They needed a partner who could deliver the technical work site by site without disrupting the MSP’s relationship with their end client, and who could hand back deliverables the MSP could present under their own brand as part of an ongoing service relationship.

The Approach

We scoped the engagement per PWSID rather than as a single enterprise audit. Each site received its own discovery phase, its own control mapping against the CISA CPG 2.0 framework, its own gap identification with severity ratings, and its own prioritized remediation roadmap. The structure was repeatable by design: same methodology, same deliverable template, different outputs reflecting the real differences between sites.

For each PWSID, the engagement ran through four phases. Discovery interviewed site personnel, cataloged technology and OT assets relevant to each CPG control family, and identified site-specific constraints (budget, staffing, physical environment, regulatory overlap). Control mapping walked each of the CISA CPG 2.0 goals and sub-requirements against what the site actually had in place, marking each as fully aligned, partially aligned, or gap. Gap identification converted the partial and gap findings into ranked issues with severity based on the likelihood and impact specific to water utility operations, not a generic scoring model. Roadmap development packaged the findings into a phased remediation plan with effort estimates, dependency ordering, and a first-30-days / 90-days / 12-months structure site managers could actually execute against.

Because we ran the same methodology at multiple sites, patterns emerged. Common gaps across sites got rolled up into executive-level findings the utility could address with centralized policy or procurement decisions. Site-specific gaps stayed site-specific, where they belonged.

The MSP stayed in the lead on the client relationship throughout. We worked as a technical delivery partner: onsite and remote discovery, the analysis, the deliverables, the methodology. The MSP owned the narrative with the end client, the scheduling, and the executive reporting. Our deliverables were designed to be presentable by the MSP without needing to scrub our branding or re-explain our terminology.

The Outcomes

Each PWSID received a quantified baseline against the CISA CPG 2.0 framework, a severity-mapped gap catalog that reflected the site’s actual context, and a prioritized per-site roadmap with realistic timelines. Site managers got deliverables they could read, understand, and act on without needing to translate a compliance consultant’s vocabulary.

Executive leadership at the utility got something the prior approach would not have produced: a cross-site view that identified the gaps common to most sites (worth a centralized investment) versus the gaps unique to specific sites (worth local attention). That let them allocate funding across sites based on evidence rather than estimation.

The MSP partner walked away with a methodology they could extend internally over time. The repeatable assessment structure, the deliverable templates, and the framework-mapping patterns became an asset they could apply to other clients. We stayed available for the harder questions as they rolled the pattern forward: when a site’s findings raised questions we could answer faster than they could, they called. When their internal team needed a specific control explained in plain language, they had our methodology to reference.

For the end client, the engagement reframed security investment from a single line item to a portfolio of per-site decisions with clear effort, impact, and sequencing. That is a harder ask to sell internally than “fix everything,” but it is also the ask that actually matches how operations teams at water utilities work: one site, one budget, one crew at a time.

Critical infrastructure security is not optional, and it is not a problem that resolves through a single enterprise audit. Per-site assessment work, repeatable methodology, and framework-mapped findings delivered through a trusted MSP relationship is how this kind of work actually moves forward at scale.