CISA Cross-Sector Cybersecurity Performance Goals — Adoption Blueprint
CISA’s cross-sector performance goals translate the NIST Cybersecurity Framework into prioritized baseline and enhanced safeguards for critical infrastructure, requiring governance, testing, and supply chain controls to demonstrate measurable risk reduction.
Executive briefing: On the Cybersecurity and Infrastructure Security Agency (CISA) released the Cross-Sector Cybersecurity Performance Goals (CPGs), a prioritized set of baseline and enhanced practices designed to help critical infrastructure operators manage the most prevalent cyber risks. Developed in partnership with the National Institute of Standards and Technology (NIST), the CPGs translate the NIST Cybersecurity Framework into actionable safeguards that address common threat vectors affecting organizations of all sizes. They cover identity and access management, device security, network segmentation, data integrity, vulnerability management, incident response, and governance. Although voluntary, the Department of Homeland Security encourages federal and state regulators to reference the CPGs, and many grant programs now require progress reporting.
Understanding baseline and enhanced goals
The CPGs divide 37 goals into baseline and enhanced categories. Baseline goals represent minimum safeguards every critical infrastructure entity should implement regardless of size or maturity; examples include multifactor authentication (MFA) for privileged accounts, asset inventories, patch management, and tested incident response plans. Enhanced goals reflect more advanced practices such as phishing-resistant MFA, network segmentation for operational technology (OT), centralized security event logging, and external vulnerability scanning. CISA aligns each goal with relevant NIST CSF subcategories, mapping to frameworks like CIS Controls v8 and the MITRE ATT&CK matrix.
Implementation strategy
Organizations should conduct a structured assessment to benchmark against the CPGs. Steps include:
- Scope definition: Identify critical services, assets, and systems, including IT, OT, and cloud environments. Map dependencies on third-party providers and managed services.
- Control assessment: Evaluate current controls against each goal, documenting evidence (policies, configurations, logs). Distinguish between partial, full, or absent implementation.
- Risk prioritization: Use threat intelligence and business impact analysis to prioritize gaps. Consider ransomware prevalence, supply chain dependencies, regulatory obligations, and safety implications.
- Remediation planning: Develop roadmaps with defined milestones, budgets, and accountable owners. Integrate projects into enterprise risk registers and capital planning.
Key control domains
Identity and access management (IAM): Baseline goals require MFA for administrative access, unique credentials, and centralized access reviews. Enhanced goals call for phishing-resistant MFA (for example, FIDO2 security keys), just-in-time privileged access, and passwordless authentication pilots. Organizations should maintain IAM metrics such as number of privileged accounts, MFA adoption rate, and access review completion. Testing should confirm that MFA is enforced across remote access, VPNs, cloud portals, and OT remote management solutions.
Device security: CPGs mandate asset inventories covering hardware, software, and firmware. Implement automated discovery tools (agent-based, network scans) and maintain configuration baselines aligned with Center for Internet Security (CIS) benchmarks. Enhanced goals emphasize endpoint detection and response (EDR) coverage and secure remote management. Outcome testing should include penetration testing of unmanaged devices, configuration drift analysis, and validation of secure boot and patching on OT assets.
Network segmentation: Baseline expectations include segmenting networks to limit lateral movement and isolating administrative interfaces. Enhanced goals recommend dedicated management networks, zero trust segmentation, and enforced least privilege between IT and OT. Organizations should use micro-segmentation platforms, firewall policies, and software-defined networking controls. Testing should include red-team exercises, simulated ransomware propagation, and validation of firewall rule change processes.
Data security and backup: CPGs highlight maintaining offline, immutable backups and regularly testing restoration. Implement backup schedules aligned with recovery point objectives (RPOs) and recovery time objectives (RTOs). Enhanced goals include applying data loss prevention (DLP) controls, encryption, and secure key management. Conduct regular backup restore drills, track success rates, and monitor backup infrastructure for tampering.
Vulnerability and patch management: Organizations must perform routine vulnerability scanning, patch high-severity vulnerabilities within defined timelines, and monitor for exploitation. Enhanced goals include performing authenticated scans, risk-based prioritization using CISA’s Known Exploited Vulnerabilities (KEV) catalog, and adopting automated patch deployment. Maintain metrics such as mean time to remediate (MTTR), percentage of assets covered by scans, and exception volumes. Test program effectiveness with independent penetration tests and configuration audits.
Incident response and recovery: Baseline goals require written incident response plans, designated teams, and tested escalation procedures. Enhanced goals call for tabletop exercises with executive participation, integration with external partners (for example, Information Sharing and Analysis Centers), and playbooks for ransomware and business email compromise. Post-incident reviews should feed into continuous improvement cycles.
Governance and risk management: The CPGs encourage establishing cybersecurity risk registers, aligning budgets to prioritized gaps, and ensuring board-level oversight. Enhanced goals include appointing senior accountable executives, integrating cybersecurity with enterprise risk management (ERM), and sharing risk metrics with stakeholders. Organizations should tie incentives and performance reviews to cybersecurity objectives.
Outcome testing and metrics
To demonstrate progress, organizations should track metrics mapped to each goal. Examples include:
- MFA coverage: Percentage of privileged users enrolled in phishing-resistant MFA, with quarterly testing of token lifecycle processes.
- Asset inventory accuracy: Reconciliation rate between automated discovery tools and configuration management databases.
- Patch timeliness: Median days to remediate KEV-listed vulnerabilities.
- Backup reliability: Success rate of quarterly restore drills and time to recover critical systems.
- Incident response readiness: Time to detect and contain simulated ransomware exercises; completion rates for tabletop exercise action items.
Audit teams should review evidence supporting each metric, confirm segregation of duties, and evaluate remediation closure. External assessments—such as Department of Energy Cybersecurity Capability Maturity Model (C2M2) evaluations or state utility commission audits—can validate progress.
Third-party and supply chain considerations
Many critical services depend on suppliers and managed service providers. Organizations should extend CPG assessments to third parties by updating procurement questionnaires, requiring evidence of MFA, patch management, and incident response capabilities. Contracts should include right-to-audit clauses, breach notification timelines, and requirements for alignment with CISA CPGs or equivalent standards (for example, ISO/IEC 27001). Supply chain monitoring should use continuous vendor risk management platforms, intelligence feeds, and coordinated incident response protocols.
Funding and regulatory alignment
CISA encourages leveraging federal grants and sector programs to fund CPG implementation. For example, the State and Local Cybersecurity Grant Program requires plans referencing the CPGs. Utilities regulated by the North American Electric Reliability Corporation (NERC) can map CPGs to Critical Infrastructure Protection (CIP) standards, ensuring investments serve dual compliance purposes. Healthcare organizations can align CPGs with the HHS 405(d) Health Industry Cybersecurity Practices. Financial institutions can correlate CPG goals with FFIEC handbooks and OCC guidance.
Continuous improvement
Organizations should treat the CPGs as a living framework. CISA updates the goals to reflect emerging threats; teams must monitor CISA alerts, Joint Cybersecurity Advisories, and KEV updates. Establish change management processes to incorporate new goals, adjust metrics, and communicate expectations to stakeholders. Periodic maturity assessments—perhaps annually—will demonstrate trend improvements and readiness for regulatory scrutiny.
Zeph Tech’s security leadership has benchmarked its identity, network segmentation, and incident response programs against CISA’s Cross-Sector CPGs, allocating capital to phishing-resistant MFA, OT segmentation, and quarterly restore drills to evidence outcome improvements.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.