Cybersecurity Performance Goals: Frequently Asked Questions

Cybersecurity Performance Goals FAQs

How are the updated Cybersecurity Performance Goals (CPGs) different than the CPGs released in October 2022?

The Cybersecurity and Infrastructure Security Agency (CISA) received multiple requests to present the CPGs in a manner that was more easily traceable to the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). To that end, CISA has reorganized the goals to align to the NIST CSF functions (Identify, Protect, Detect, Respond, and Recover). It is important to note that several goals map to multiple functions, and – as previously stated – implementation of a given CPG does not necessarily constitute complete fulfillment of the referenced NIST CSF subcategory.

Here are the revisions to the CPGs, which are reflected in newest version:

First, the CPGs have been reordered and renumbered to align closely with NIST CSF functions. Next, accompanying documents (the Checklist and Matrix) have been adjusted accordingly. Mappings from the original numbering are reflected in the Matrix for users who may be familiar with the original publication. Additionally, the multifactor authentication (MFA) goal now reflects the most recently published CISA guidance regarding Phishing-Resistant MFA and the considerations for prioritizing implementation. The agency has also added a goal to aid organizations’ recovery planning. Finally, slight modifications to the glossary reflect the minor content changes listed above, as well as to the acknowledgment section to include the additional stakeholders who have contributed to the current and previous versions.

How did CISA accept input from industry as it developed these goals?

CISA developed the CPGs based on extensive feedback from a wide range of groups including federal agencies, the private sector and international partners. CISA used written comments, workshops, listening sessions and focused discussions with experts across a variety of disciplines to create a final product that reflects broad input. The feedback we have received throughout the development process has been invaluable, which is why we will continue to maintain an open request for input.

Will there be additional opportunities to provide input?

Yes!  Following the release of the original CPGs, CISA continues to take input and welcomes feedback from partners from across the cybersecurity and critical infrastructure communities. In fact, CISA has a Discussions page to receive feedback and ideas for new CPGs, plans to regularly update the CPGs and will work directly with individual critical infrastructure sectors as we build out sector-specific CPGs in the coming months.

Do the CPGs apply to individual owners and operators or critical infrastructure? 

Yes. The White House’s National Security Memorandum (NSM) on "Improving Cybersecurity for Critical Infrastructure Control Systems” states that the “performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” from water to transportation to communications to energy, healthcare and emergency services.

The CPGs are intended to outline high-priority cybersecurity goals and associated actions to enable progress toward a consistent baseline across all critical infrastructure sectors. The CPGs and Sector Specific Goals (in development) are tools that individual critical infrastructure operators can use to evaluate their own cybersecurity posture and understand how the cybersecurity posture of their sector compares with established practices within the sector and across sectors.

Regardless of whether they self-identify as critical infrastructure owners or operators, organizations of all sizes will find value in utilizing the CPGs as part of their cybersecurity risk management program.

Why is it important to have measurable goals?

Every organization faces challenges in understanding how to prioritize investments toward measurable improvements and assess progress toward defined outcomes. The CPGs were intentionally designed to help organizations justify investments toward the most critical areas. By making the goals clearly measurable, organizations across the size and maturity spectrum will be able to understand what actions to take, and how to self-assess progress towards meeting the goals.

What criteria were used to determine which goals to include?

The CPGs were determined based on three criteria: (1) Significantly and directly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary Tactics, Techniques, and Procedures; (2) Clear, actionable and easily definable, and (3) Reasonably straightforward and not cost-prohibitive for even small- and medium-sized entities to successfully implement. CISA benefitted from rigorous input across public and private partners to help ensure that each CPG met these criteria.

How do we define when Goals are achieved? How is measurement conducted and quantified? How often should measurement be performed?

The intent of the CPGs is to provide a common resource to help organizations prioritize security investments toward the most impactful outcomes. Each organization can use the CPGs as part of their broader cybersecurity program to evaluate progress and justify necessary investments. To this end, the “Recommended Actions” enumerated for each CPG are based upon insights from hundreds of stakeholders and CISA’s operational observations, but can be tailored based upon the unique maturity, technology environments, and risks of a given entity or sector.

Cybersecurity Performance Goals Conduct Questions

What is the expectation if a goal/objective is not applicable to my sector/subsector?

The purpose of the cross-sector CPGs is to outline most important security outcomes and associated actions that apply to all sectors. If goals or objectives in the cross-sector CPGs do not apply to your sector, please note this in any feedback you provide. Following initial publication, CISA intends to continue to collect feedback on the CPGs and incorporate updates at a future date.  We have also posted the CPGs to GitHub and encourage stakeholders to submit comments and recommendations for future changes.     

How will this effort capture cybersecurity practices for differing sector types?

The purpose of the CPGs is to outline the cybersecurity practices that apply to most critical infrastructure providers. They are intended to be general in nature and not overly prescriptive. In addition to the high-level goals, each objective includes “Recommend Actions” that can be customized by each sector to provide a flexible example of how a goal or objective might be achieved in their own sector. Each sector will also evaluate the need for sector-specific goals, which will address cybersecurity outcomes specific to their sector.

Will all critical infrastructure operators be expected to meet the Cybersecurity Performance Goals or will there be a threshold that outlines the type of entities that will be expected to meet these goals?

The CPGs are intended to serve as a voluntary resource that can be utilized by all critical infrastructure organizations. The CPGs should be particularly useful to small- and medium-sized entities. By making the goals clearly measurable, organizations across the size and maturity spectrum will be able to understand what actions to take, and how to self-assess progress towards meeting the goals.

Will CISA Audit Entities for CPG Compliance?

As outlined in President Biden’s NSM, the performance goals are voluntary. CISA has no plans to audit entities based on the performance goals. On our website, CISA includes include a mapping of the CPGs to other commonly used frameworks such as NIST CSF, International Society of Automation/International Electrotechnical Commission 62443, etc. so customers can understand where a given CPG may align to those other tools.

National Institutes of Standards and Technology's Cybersecurity Framework Relationship to CPGs Question

Will the CPGs be mapped to the National Institute of Standards and Technology's Cybersecurity Framework?

The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) enables organizations to develop a comprehensive, risk-based cybersecurity program and enumerates a holistic set of categorized actions that can be taken to reduce an organization’s cyber risk and quickly respond to and recover from incidents.  

As directed by President Biden’s NSM, the CPGs are intended to supplement the NIST CSF for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers. To this end, each goal in the CPGs is mapped to a corresponding subcategory from the NIST CSF.

In our most recent v1.0.1. release, CISA has also grouped the Goals according to each of the related CSF Functions. NIST is currently updating its CSF. CISA will update its CPGs to align with the CSF 2.0.

Sector-Specific Performance Goals Questions

Will Certain Sectors be Prioritized as Sector-Specific Goals are Developed?

Yes. CISA is currently building out cybersecurity goals specific to the 16 sectors of critical infrastructure. We are beginning with the IT, Chemical, Financial Services and Product Design, & Energy (Electrical distribution) sectors.  After delivery of these first four sets of sector specific goals, CISA will begin planning for the next set of sector-specific goals. 

Which Sectors Currently Have Established Timelines?

In order to develop effective sector-specific goals, CISA will use the cross-sector CPGs to support Sector RISK Management Agencies in developing sector-specific goals in the coming months following final publication of the cross-sector CPGs

Additional Questions

Would The CPGs Address Assessments Tailored Specifically for Generative Artifical Intelligence (Ai)-Based Cyber Threats?

The current version of the CPGs does not yet explicitly address AI. With that said, AI security is a key CISA priority going forward, and the CISA CPG team is currently assessing how AI should be addressed in the CPGs, as well as how the CPGs might help inform secure AI development.

Do the CPGs Take into Account Collaboration Within and Between Teams?

Yes!  The CPGs specifically call out the need for communication and partnership between Information Technology and Operational Technology/Industrial Control System teams within an organization, rather than acting in a stovepipe manner.

Does CISA Plan on Creating a Training Program?

CISA does have online available training on how to conduct assessments utilizing the Cyber Security Evaluation Tool: Cybersecurity Performance Goals (CPG) Assessment Training | CISA. We also have an Assessment Evaluation and Standardization program to increase the quality and quantity of cyber professionals who can execute CISA cyber assessments. Training assessors in Cyber Risk Assessment methodologies is a major step in setting up an ecosystem for performing cyber assessments, and in providing national-level data views that drive initiatives to reduce risk. More here: Assessment Evaluation and Standardization Program | CISA.

At this time, we do not have an official assessor certification program.

How Much Does a CISA Assessment Cost for a Smaller Business and Would it Include Red Teaming?

CISA services are at no cost, that said, some of the more complex services like red teaming, are highly complex and resource intensive, and may have limited availability as compared to more scalable service offerings. CISA cybersecurity advisors can be key partners in helping a customer determine what products might best fit their needs based on sector, size, or industry.