Cross-Sector Cybersecurity Performance Goals
In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.
This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.
The CPGs are a prioritized subset of information technology (IT) and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.
The first version of the CPGs was published in October 2022. Since that time, CISA received feedback from multiple sectors across the stakeholder community, requesting that the goals be represented in a manner that was more easily traceable to the NIST Cybersecurity Framework (CSF). To that end, CISA has reorganized the goals according to the related NIST CSF functions (Identify, Protect, Detect, Respond, and Recover). It is important to note that several goals map to multiple functions, and – as previously stated – implementation of a given CPG does not necessarily constitute complete fulfillment of the referenced NIST CSF subcategory. A more comprehensive summary of the changes between the previous and current versions of the CPGs is available in the document itself.
The CPGs are intended to be:
A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.
The CPGs are:
Voluntary: The National Security Memorandum does not create new authorities that compel owners and operators to adopt the CPGs or provide any reporting regarding or related to the CPGs to any government agency.
Not Comprehensive. They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.
As directed by President Biden’s NSM, the CPGs are intended to supplement the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF).
for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers.
In an effort to accelerate adoption of essential actions to improve cybersecurity across the nation’s critical infrastructure providers, the CPGs recommend an abridged subset of actions to help organizations prioritize their security investments.
Full background on the CPGs, their formation, the model, relation to existing standards, and how they should be used is fully outlined in the document.
CISA CPG Checklist
Complete CPGs Matrix/Spreadsheet
Frequently Asked Questions
- Q: HOW ARE THE UPDATED CYBERSECURITY PERFORMANCE GOALS (CPGs) DIFFERENT THAN THE CPGS RELEASED IN OCTOBER 2022?
A: The Cybersecurity and Infrastructure Security Agency (CISA) received feedback from multiple sectors requesting that the goals be represented in a manner that was more easily traceable to the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). To that end, CISA has reorganized the goals to align to the NIST CSF functions (Identify, Protect, Detect, Respond, and Recover). It is important to note that several goals map to multiple functions, and – as previously stated – implementation of a given CPG does not necessarily constitute complete fulfillment of the referenced NIST CSF subcategory.
Here are the revisions to the CPGs, which are reflected in newest version:
Next, accompanying documents (the Checklist and Matrix) have been adjusted accordingly. Mappings from the original numbering are reflected in the Matrix for users who may be familiar with the original publication.
Additionally, the multifactor authentication (MFA) goal has been updated to reflect the most recently published CISA guidance regarding Phishing-Resistant MFA and the considerations for prioritizing implementation.
The agency has also added a goal based on GitHub feedback to aid in organizations’ recovery planning.
Finally, slight modifications have been made to the glossary to reflect the minor content changes listed above, as well as to the acknowledgment section to include the additional stakeholders who have contributed to the current and previous versions.
First, the CPGS have been reordered and renumbered to align closely with NIST CSF functions.
- Q: HOW DID CISA TAKE INPUT FROM INDUSTRY AS IT DEVELOPED THESE GOALS
A: CISA developed the Cybersecurity Performance Goals based on extensive feedback from partners with the goal of creating a final product that reflects input from a wide range of groups including federal agencies, the private sector, and international partners. We achieved this goal via written comments, workshops, listening sessions, and focused discussions with experts across a variety of disciplines. The feedback we have received throughout this process has been invaluable, which is why we will maintain an open request for input as organizations begin to use the CPGs in practice and as we build out cybersecurity goals specific to individual critical infrastructure sectors in the coming months.
Following the release of the CPGs, CISA has taken—and will continue taking---input and welcomes feedback from partners from across the critical infrastructure community. In fact, CISA has an active discussions page to receive feedback and ideas for new CPGs, plans to regularly update the CPGs, and will work directly with individual critical infrastructure sectors as we build out sector-specific CPGs in the coming months.
- Q: WILL THERE BE ADDITIONAL OPPORTUNITIES TO PROVIDE INPUT?
A: Yes! Following the release of the original CPGs, CISA will take input and welcomes feedback from partners from across the cybersecurity and critical infrastructure communities. In fact, CISA has a Discussions page to receive feedback and ideas for new CPGs, plans to regularly update the CPGs and will work directly with individual critical infrastructure sectors as we build out sector-specific CPGs in the coming months.
- Q: WILL THE CYBER PERFORMANCE GOALS BE SPECIFIC TO CRITICAL INFRASTRUCTURE OPERATORS?
A: Yes. The White House’s National Security Memorandum (NSM) on "Improving Cybersecurity for Critical Infrastructure Control Systems” states that the “performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services, from water to transportation to communications to energy, healthcare, and emergency services.
The CPGs are intended to outline high-priority cybersecurity goals and associated actions to enable progress toward a consistent baseline across all critical infrastructure sectors. The CPGs will be a tool that individual critical infrastructure operators can use to evaluate their own cybersecurity posture and understand how the cybersecurity posture of their sector compares with established practices within the sector and across other sectors.
While the NSM is intended to apply specifically to critical infrastructure owners and operators, many organizations that do not self-identify as critical infrastructure will find value in utilizing the CPGs as part of their cybersecurity risk management program, including small and medium organizations that may serve a critical role as part of the supply chain for a national critical function.
- Q. WHAT CRITERIA WERE USED TO DETERMINE WHICH GOALS TO INCLUDE?
A: The CPGs were determined based on three criteria: (1) Significantly and directly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary TTPs; (2) Clear, actionable, and easily definable, and (3) Reasonably straightforward and not cost-prohibitive for even small- and medium-sized entities to successfully implement. CISA benefitted from rigorous input across public and private partners to ensure that each CPG met these criteria.
Performance Goals Conduct Questions
Q: WHAT IS THE EXPECTATION IF A GOAL/OBJECTIVE IS NOT APPLICABLE TO MY SECTOR/SUBSECTOR?
A: The purpose of the cross-sector CPGs is to outline most important security outcomes and associated actions that apply to all sectors. If goals or objectives in the cross-sector CPGs do not apply to your sector, please note this in any feedback you provide. Following initial publication, CISA intends to continue to collect feedback on the CPGs and incorporate updates at a future date. We have also posted the CPGs to GitHub and encourage stakeholders to submit comments and recommendations for future changes.
- Q: HOW WILL THIS EFFORT CAPTURE CYBERSECURITY PRACTICES FOR DIFFERING SECTOR TYPES?
A: The purpose of the cross-sector CPGs is to outline the cybersecurity practices that apply to most critical infrastructure providers. They are intended to be general in nature and not overly prescriptive. In addition to the high-level goals, each objective includes “Recommend Actions” that can be customized by each sector to provide a flexible example of how a goal or objective might be achieved in their own sector. Each sector will also evaluate the need for sector-specific goals, which will address any cybersecurity outcomes specific to their sector.
- Q: WILL ALL CRITICAL INFRASTRUCTURE OPERATORS BE EXPECTED TO MEET THE CYBERSECURITY PERFORMANCE GOALS OR WILL THERE BE A THRESHOLD THAT OUTLINES THE TYPE OF ENTITIES THAT WILL BE EXPECTED TO MEET THE GOALS?
A: The CPGs are intended to serve as a voluntary resource that can be utilized by all critical infrastructure organizations and are expected to be of particular use to small- and medium-sized entities. By making the goals clearly measurable, organizations across the size and maturity spectrum will be able to have a definitive understanding of what actions to take, and how to self-assess progress towards meeting the goals.
NIST Cybersecurity Framework (CSF) Relationship to CPGs Questions
Q: ARE THE CPGs BE MAPPED TO NIST CSF?
A: The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) enables organizations to develop a comprehensive, risk-based cybersecurity program and enumerates a holistic set of categorized actions that can be taken to reduce an organization’s cyber risk and quickly respond to and recover from incidents.
As directed by President Biden’s NSM, the CPGs are intended to supplement the NIST CSF for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers. To this end, each goal in the CPGs is mapped to a corresponding subcategory from the NIST CSF.
In our most recent v1.0.1. release, CISA has also grouped the Goals according to each of the related CSF Functions.
For More Information
To learn more about Cybersecurity Performance Goals, visit cisa.gov/cpg. For more information or to seek additional help, contact Central. To learn more about Cybersecurity Performance Goals, visit cisa.gov/cpgs. For more information or to seek additional help, contact Central. For media inquiries, please contact CISA Media at CISAMedia@cisa.dhs.gov.
Sector Specific Goals
Now that the cross-sector CPGs have been published, CISA is working with Sector Risk Management Agencies (SRMAs) to directly engage with each critical infrastructure sector to develop Sector-Specific Goals (SSGs). In most instances, these goals will likely consist of either new, unique additional goals with direct applicability to a given sector, or, materials to assist sector constituents with effective implementation of the existing cross-sector CPGs. Sector-specific goals will be developed by:
- Identifying any additional cybersecurity practices, not already included in the Common Baseline, needed to ensure the safe and reliable operation of critical infrastructure in that sector.
- Providing examples for recommended actions specific to the infrastructure and entities in that sector; and
- Mapping any existing requirements (e.g., regulations or security directives) to the Common Baseline and sector-specific objectives and/or recommended actions so stakeholders can see how their existing compliance practices fulfill certain objectives.
As there are 16 Critical Infrastructure sectors with varying needs, CISA will be tackling this effort in several phases. The first four sectors CISA is working with include the Energy, Financial Services, IT, and Chemical Sectors. In addition, CISA will be working throughout the year with the Water/Wastewater Sector, Healthcare Sector, and K-12 Subsector on identifying approaches for how organizations in those sectors/subsector can enhance their cybersecurity posture through implementation of the existing body of cross-sector goals.
To achieve its sector-specific goals development aims, CISA intends to actively engage with sector stakeholders, including holding multiple development workshops. While Sector Coordinating Councils (SCCs) will be one conduit for part of this outreach, CISA is committed to working closely with SRMAs to ensure that development of all sector-specific materials is done in an open and collaborative fashion, that includes participation from stakeholders of varying size and perspective.
More information on the sector-specific goals will be provided as efforts progress.