CISA and NIST Publish Cross-Sector Cybersecurity Performance Goals — October 31, 2022

Executive briefing: On 31 October 2022 CISA, in coordination with NIST, published the first Cross-Sector Cybersecurity Performance Goals (CPGs). The voluntary framework outlines prioritized safeguards that critical infrastructure operators should implement to reduce the most common threats, aligning with the NIST Cybersecurity Framework and federal directives.

Key goal categories

• Account security. Mandates multi-factor authentication for privileged accounts, disables default credentials, and enforces least privilege.
• Device security. Recommends secure configuration baselines, patch management, and asset inventories covering IT and OT systems.
• Governance and resilience. Highlights incident response planning, tabletop exercises, immutable backups, and participation in information-sharing communities.

Actions for operators

• Map existing controls to the 37 CPGs and identify quick wins that close high-risk gaps, such as MFA coverage or backup immutability.
• Integrate CPG metrics into board-level risk reporting and align them with regulatory frameworks like NERC CIP, TSA directives, and HIPAA where applicable.
• Leverage CISA’s CPG checklist and worksheets to track implementation progress and evidence improvements during sector-specific reviews.

Strategic implications

• Funding alignment. Federal grants and insurance underwriters increasingly reference the CPGs when evaluating resilience posture—prepare supporting documentation.
• Vendor expectations. Utilities and healthcare providers can incorporate CPG requirements into procurement to raise supply chain baselines.
• Measurement focus. CISA plans to evolve the goals with maturity tiers; maintain telemetry so improvements can be quantified.

Zeph Tech is embedding CPG checklists into resilience assessments, helping clients tie prioritized safeguards to board-approved remediation roadmaps.