In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.
The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.
The CPGs are intended to be:
A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.
The CPGs are:
Voluntary: The National Security Memorandum does not create new authorities that compel owners and operators to adopt the CPGs or provide any reporting regarding or related to the CPGs to any government agency.
Not Comprehensive. They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.
As directed by President Biden’s NSM, the CPGs are intended to supplement the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers.
In an effort to accelerate adoption of essential actions to improve cybersecurity across the nation’s critical infrastructure providers, the CPGs recommend an abridged subset of actions to help organizations prioritize their security investments
Full background on the CPGs, their formation, the model, relation to existing standards, and how they should be used is fully outlined in the document.
This is the core document, providing a select list of attestable goals to reduce cyberthreat to your organization.
This document is to be used in tandem with the CPGs to help prioritize and track your organization’s implementation.
This is the master source document for the CPGs, including all reference information and resource links.
This virtual forum has been established by CISA to discuss and collaborate on community-proposed additions, changes, and other considerations for future versions of the CPGs.
Frequently Asked Questions
Q: ARE THE CPGS MANDATORY OR VOLUNTARY?
A: The Cybersecurity Performance Goals are voluntary. Organizations can choose to adopt the CPGs to help them prioritize security investments toward the most critical outcomes, in conjunction with broader frameworks like the NIST Cybersecurity Framework.
Q: HOW DID CISA TAKE INPUT FROM INDUSTRY AS IT DEVELOPED THESE GOALS
A: CISA developed the Cybersecurity Performance Goals based on extensive feedback from partners with the goal of creating a final product that reflects input from a wide range of groups including federal agencies, the private sector, and international partners. We achieved this goal via written comments, workshops, listening sessions, and focused discussions with experts across a variety of disciplines. The feedback we have received throughout this process has been invaluable, which is why we will maintain an open request for input as organizations begin to use the CPGs in practice and as we build out cybersecurity goals specific to individual critical infrastructure sectors in the coming months.
Following the release of the CPGs, CISA will continue taking input and welcomes feedback from partners from across the critical infrastructure community. In fact, CISA has already setup a Discussions page to receive feedback and ideas for new CPGs, plans to regularly update the CPGs, and will work directly with individual critical infrastructure sectors as we build out sector-specific CPGs in the coming months.
Q: WILL THERE BE ADDITIONAL OPPORTUNITIES TO PROVIDE INPUT?
A: Yes! Following the release of the CPGs, CISA will continue taking input and welcomes feedback from partners from across the cybersecurity and critical infrastructure communities. In fact, CISA has already setup a Discussions page to receive feedback and ideas for new CPGs, plans to regularly update the CPGs and will work directly with individual critical infrastructure sectors as we build out sector-specific CPGs in the coming months.
Q: HOW ARE THESE CYBERSECURITY PERFORMANCE GOALS (CPGs) DIFFERENT THAN THOSE SEEN PREVIOUSLY?
A: These Cyber Performance Goals (CPGs) are different than previous guidance for several reasons. First, the CPGs provide a succinct set of high-priority security outcomes and recommended actions applicable to IT and OT environments. In this way, the CPGs enable organizations to undertake prioritized and targeted investment to address the most significant cybersecurity risks. Second, the CPGs are accompanied by Checklist that allow organizations to prioritize their utilization of each goal based upon cost, complexity, and impact, making the CPGs uniquely useful for organizations with limited resources. Finally, the CPGs will be regularly refreshed and updated, allowing them to be used as a continuously effective resource to drive prioritized investments against the most significant threats and critical risks.
Q: WILL THE CYBER PERFORMANCE GOALS BE SPECIFIC TO CRITICAL INFRASTRUCTURE OPERATORS?
A: Yes. The White House’s National Security Memorandum (NSM) on "Improving Cybersecurity for Critical Infrastructure Control Systems” states that the “performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” such as water, transportation, communications, energy, healthcare, emergency services and beyond.
The CPGs are intended to outline high-priority cybersecurity goals and associated actions to enable progress toward a consistent baseline across all critical infrastructure sectors. The CPGs will be a tool that individual critical infrastructure owners and operators can use to evaluate their own cybersecurity posture and understand how the cybersecurity posture of their sector compares with established practices within the sector and across sectors.
While the NSM is intended to apply specifically to critical infrastructure owners and operators, many organizations that do not self-identify as critical infrastructure will find value in utilizing the CPGs as part of their cybersecurity risk management program, including small and medium organizations that may serve a critical role as part of the supply chain for a national critical function.
Q. WHAT CRITERIA WERE USED TO DETERMINE WHICH GOALS TO INCLUDE?
A: The CPGs were determined based on three criteria: (1) Significantly and directly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary TTPs; (2) Clear, actionable, and easily definable, and (3) Reasonably straightforward and not cost-prohibitive for even small- and medium-sized entities to successfully implement. CISA benefitted from rigorous input across public and private partners to ensure that each CPG met these criteria.
Performance Goals Conduct Questions
Q: WHAT IS THE EXPECTATION IF A GOAL/OBJECTIVE IS NOT APPLICABLE TO MY SECTOR/SUBSECTOR?
A: The purpose of the cross-sector CPGs is to outline most important security outcomes and associated actions that apply to all sectors. If goals or objectives in the cross-sector CPGs do not apply to your sector, please note this in any feedback you provide. Following initial publication, CISA intends to continue to collect feedback on the CPGs and incorporate updates at a future date. We have also posted the CPGs to GitHub here and encourage stakeholders to submit comments and recommendations for future changes.
Q: HOW WILL THIS EFFORT CAPTURE CYBERSECURITY PRACTICES FOR DIFFERING SECTOR TYPES?
A: The purpose of the CPGs is to outline the cybersecurity practices that apply to most critical infrastructure providers. They are intended to be general in nature and not overly prescriptive. In addition to the high-level goals, each objective includes “Recommend Actions” that can be customized by each sector to provide a flexible example of how a goal or objective might be achieved in their own sector. Each sector will also evaluate the need for sector-specific goals, which will address any cybersecurity outcomes specific to their sector.
Q: WILL ALL CRITICAL INFRASTRUCTURE OPERATORS BE EXPECTED TO MEET THE CYBERSECURITY PERFORMANCE GOALS OR WILL THERE BE A THRESHOLD THAT OUTLINES THE TYPE OF ENTITIES THAT WILL BE EXPECTED TO MEET THE GOALS?
A: The CPGs are intended to serve as a resource that can be utilized by all critical infrastructure organizations and are expected to be of particular use to small- and medium-sized entities. By making the goals clearly measurable, organizations across the size and maturity spectrum will be able to have a definitive understanding of what actions to take, and how to self-assess progress towards meeting the goals.
NIST Cybersecurity Framework (CSF) Relationship to CPGs Questions
Q: WILL THE CPGs BE MAPPED TO NIST CSF?
A: The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) enables organizations to develop a comprehensive, risk-based cybersecurity program and enumerates a holistic set of categorized actions that can be taken to reduce an organization’s cyber risk and quickly respond to and recover from incidents.
As directed by President Biden’s NSM, the CPGs are intended to supplement the NIST CSF for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers. To this end, each goal in the CPGs is mapped to a corresponding subcategory from the NIST CSF.
For More Information
To learn more about Cybersecurity Performance Goals, visit cisa.gov/cpgs. For more information or to seek additional help, contact CISA-ExternalAffairs@cisa.dhs.gov. For media inquiries, please contact CISA Media at CISAMedia@cisa.dhs.gov.
Now that the cross-sector CPGs are complete, CISA will work with each Sector Risk Management Agency (SRMA) to begin development of sector-specific goals by:
- Identifying any additional cybersecurity practices, not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.
- Providing examples for recommended actions specific to the infrastructure and entities in that sector; and
- Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.
More information on the sector-specific goals will be provided as it is available.