CISA Cross-Sector Cybersecurity Performance Goals — Adoption Blueprint

On 31 October 2022 the Cybersecurity and Infrastructure Security Agency (CISA) released the Cross-Sector Cybersecurity Performance Goals (CPGs), a focus ond set of baseline and improved practices designed to help critical infrastructure operators manage the most prevalent cyber risks. Developed in partnership with the National Institute of Standards and Technology (NIST), the CPGs translate the NIST Cybersecurity Framework into actionable safeguards that address common threat vectors affecting organizations of all sizes. They cover identity and access management, device security, network segmentation, data integrity, vulnerability management, incident response, and governance. Although voluntary, the Department of Homeland Security encourages federal and state regulators to reference the CPGs, and many grant programs now require progress reporting.

Understanding baseline and improved goals

The CPGs divide 37 goals into baseline and improved categories. Baseline goals represent minimum safeguards every critical infrastructure entity should implement regardless of size or maturity; examples include multifactor authentication (MFA) for privileged accounts, asset inventories, patch management, and tested incident response plans. Enhanced goals reflect more advanced practices such as phishing-resistant MFA, network segmentation for operational technology (OT), centralized security event logging, and external vulnerability scanning. CISA aligns each goal with relevant NIST CSF subcategories, mapping to frameworks like CIS Controls v8 and the MITRE ATT&CK matrix.

Implementation strategy

If you are affected, conduct a structured assessment to benchmark against the CPGs. Steps include:

• Scope definition: Identify critical services, assets, and systems, including IT, OT, and cloud environments. Map dependencies on third-party providers and managed services.
• Control assessment: Evaluate current controls against each goal, documenting evidence (policies, configurations, logs). Distinguish between partial, full, or absent setup.
• Risk prioritization: Use threat intelligence and business impact analysis to focus on gaps. Consider ransomware prevalence, supply chain dependencies, regulatory obligations, and safety implications.
• Remediation planning: Develop roadmaps with defined milestones, budgets, and accountable owners. Integrate projects into enterprise risk registers and capital planning.

Key control domains

Identity and access management (IAM): Baseline goals require MFA for administrative access, unique credentials, and centralized access reviews. Enhanced goals call for phishing-resistant MFA (for example, FIDO2 security keys), just-in-time privileged access, and passwordless authentication pilots. If you are affected, maintain IAM metrics such as number of privileged accounts, MFA adoption rate, and access review completion. Testing should confirm that MFA is enforced across remote access, VPNs, cloud portals, and OT remote management solutions.

Device security: CPGs mandate asset inventories covering hardware, software, and firmware. Implement automated discovery tools (agent-based, network scans) and maintain configuration baselines aligned with Center for Internet Security (CIS) benchmarks. Enhanced goals emphasize endpoint detection and response (EDR) coverage and secure remote management. Outcome testing should include penetration testing of unmanaged devices, configuration drift analysis, and validation of secure boot and patching on OT assets.

Network segmentation: Baseline expectations include segmenting networks to limit lateral movement and isolating administrative interfaces. Enhanced goals recommend dedicated management networks, zero trust segmentation, and enforced least privilege between IT and OT. If you are affected, use micro-segmentation platforms, firewall policies, and software-defined networking controls. Testing should include red-team exercises, simulated ransomware propagation, and validation of firewall rule change processes.

Data security and backup: CPGs highlight maintaining offline, immutable backups and regularly testing restoration. Implement backup schedules aligned with recovery point objectives (RPOs) and recovery time objectives (RTOs). Enhanced goals include applying data loss prevention (DLP) controls, encryption, and secure key management. Conduct regular backup restore drills, track success rates, and monitor backup infrastructure for tampering.

Vulnerability and patch management: Organizations must perform routine vulnerability scanning, patch high-severity vulnerabilities within defined timelines, and monitor for exploitation. Enhanced goals include performing authenticated scans, risk-based prioritization using CISA’s Known Exploited Vulnerabilities (KEV) catalog, and adopting automated patch deployment. Maintain metrics such as mean time to remediate (MTTR), percentage of assets covered by scans, and exception volumes. Test program effectiveness with independent penetration tests and configuration audits.

Incident response and recovery: Baseline goals require written incident response plans, designated teams, and tested escalation procedures. Enhanced goals call for tabletop exercises with executive participation, integration with external partners (for example, Information Sharing and Analysis Centers), and playbooks for ransomware and business email compromise. Post-incident reviews should feed into continuous improvement cycles.

Governance and risk management: The CPGs encourage establishing cybersecurity risk registers, aligning budgets to focus ond gaps, and ensuring board-level oversight. Enhanced goals include appointing senior accountable executives, integrating cybersecurity with enterprise risk management (ERM), and sharing risk metrics with teams. If you are affected, tie incentives and performance reviews to cybersecurity objectives.

Outcome testing and metrics

To show progress, you should track metrics mapped to each goal. Examples include:

• MFA coverage: Percentage of privileged users enrolled in phishing-resistant MFA, with quarterly testing of token lifecycle processes.
• Asset inventory accuracy: Reconciliation rate between automated discovery tools and configuration management databases.
• Patch timeliness: Median days to remediate KEV-listed vulnerabilities.
• Backup reliability: Success rate of quarterly restore drills and time to recover critical systems.
• Incident response readiness: Time to detect and contain simulated ransomware exercises; completion rates for tabletop exercise action items.

Audit teams should review evidence supporting each metric, confirm segregation of duties, and evaluate remediation closure. External assessments—such as Department of Energy Cybersecurity Capability Maturity Model (C2M2) evaluations or state utility commission audits—can validate progress.

Third-party and supply chain considerations

Many critical services depend on suppliers and managed service providers. If you are affected, extend CPG assessments to third parties by updating procurement questionnaires, requiring evidence of MFA, patch management, and incident response capabilities. Contracts should include right-to-audit clauses, breach notification timelines, and requirements for alignment with CISA CPGs or equivalent standards (for example, ISO/IEC 27001). Supply chain monitoring should use continuous vendor risk management platforms, intelligence feeds, and coordinated incident response protocols.

Funding and regulatory alignment

CISA encourages using federal grants and sector programs to fund CPG setup. For example, the State and Local Cybersecurity Grant Program requires plans referencing the CPGs. Utilities regulated by the North American Electric Reliability Corporation (NERC) can map CPGs to Critical Infrastructure Protection (CIP) standards, ensuring investments serve dual compliance purposes. Healthcare organizations can align CPGs with the HHS 405(d) Health Industry Cybersecurity Practices. Financial institutions can correlate CPG goals with FFIEC handbooks and OCC guidance.

Iterating and improving

If you are affected, treat the CPGs as a living framework. CISA updates the goals to reflect emerging threats; teams must monitor CISA alerts, Joint Cybersecurity Advisories, and KEV updates. Establish change management processes to incorporate new goals, adjust metrics, and communicate expectations to teams. Periodic maturity assessments—perhaps annually—will show trend improvements and readiness for regulatory scrutiny.

The security leadership has benchmarked its identity, network segmentation, and incident response programs against CISA’s Cross-Sector CPGs, allocating capital to phishing-resistant MFA, OT segmentation, and quarterly restore drills to evidence outcome improvements.

Similar analysis

Additional analysis covering similar themes.

Cybersecurity · Credibility 90/100 · July 31, 2023

U.S. National Cyber Workforce and Education Strategy Published — July 31, 2023

The Biden Administration’s July 2023 National Cyber Workforce and Education Strategy lays out 30-plus initiatives to grow and diversify the talent pipeline, demanding governance focus on apprenticeships, privacy-aware…

Cybersecurity · Credibility 89/100 · August 3, 2023

CISA Unveils 2024–2026 Cybersecurity Strategic Plan — August 3, 2023

CISA’s 2024–2026 strategic plan requires executive governance to steer joint cyber defense planning, phased setup across the three mission goals, and privacy-aware evidence collection to satisfy DSARs tied to threat…

Cybersecurity · Credibility 92/100 · October 5, 2023

NSA and CISA List Top Ten Cybersecurity Misconfigurations — October 5, 2023

NSA and CISA’s joint AA23-278A advisory demands board-level oversight to remediate the ten systemic misconfigurations undermining identity, logging, segmentation, and DSAR-ready evidence collection across critical…

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Cybersecurity · Credibility 90/100 · March 18, 2024

EPA Issues Enforcement Alert on Water System Cyber Deficiencies — March 18, 2024

EPA warned drinking water utilities about cybersecurity gaps in March 2024. Their inspections found serious problems. If you are running water infrastructure, expect more regulatory attention on cyber.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

October 31, 2022

Coverage pillar

Cybersecurity

Source credibility

92/100 — high confidence

Topics

Critical infrastructure · Cybersecurity controls · United States

Sources cited

3 sources (cisa.gov, hitehouse.gov)

Reading time

6 min

Further reading

1. CISA — Cross-Sector Cybersecurity Performance Goals
2. Fact Sheet: Cross-Sector Cybersecurity Performance Goals
3. CISA Known Exploited Vulnerabilities Catalog