The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has updated its Cross-Sector Cybersecurity Performance Goals to provide critical infrastructure operators “a more robust framework for integrating cybersecurity into daily operations.”
Version 2.0 of the CPGs, released Dec. 11, was developed with the input of industry stakeholders, government agencies and cybersecurity experts, based on CISA’s operational data and research on the current threat landscape. The goals are intended to align with the National Institute of Standards and Technology’s Cybersecurity Framework 2.0, introduced in 2024. (See NIST Expands Cyber Framework in Latest Release.)
CISA introduced the CPGs in 2022, following a directive from President Biden that DHS and NIST establish a set of “baseline security practices” to be followed by critical infrastructure owners and operators across sectors. (See Biden Launches ICS Cybersecurity Initiative.) However, adoption of the goals has led to a gap between large organizations and others, which CISA acknowledged “often struggle to translate high-level goals into concrete action.” The agency wrote that this gap has led to dangerous vulnerabilities in critical facilities.
In a press release, CISA wrote that the CPGs “offer a practical starting point for small- and medium-sized organizations” to improve their cybersecurity posture “by focusing on a limited set of high-impact actions.” Acting Director Madhu Gottumukkala said the update “demonstrates our commitment to listening to and incorporating partner feedback to deliver practical, outcome-driven guidance that organizations can act on.”
“These goals are applicable across all critical infrastructure sectors and offer foundational protection for organizations regardless of their cybersecurity maturity,” Gottumukkala added. “We encourage all organizations to adopt the new CPGs and continue sharing feedback to help us refine future iterations.”
The CPGs are organized into six functions, presenting best practices to address individual risk and aggregate risks to U.S. critical infrastructure overall. The first function, “govern,” is a new addition reflecting “the critical role of organizational leadership in cybersecurity” and mirroring the addition of a similar function in NIST’s framework.
Practices under this function include establishing cybersecurity roles, responsibilities and authorities within the organization, and communicating them with external partners; reviewing cybersecurity program management at least once a year, updating as needed and communicating changes; maintaining and practicing incident response plans; managing supply chain risks; and addressing risks from managed service providers.
Functions carried over from the previous version include identification, which has to do with managing organizational assets, documenting network topology and mitigating known vulnerabilities; protection, which concerns passwords, credential maintenance, encryption and other defensive measures; detection, for spotting unauthorized access attempts; incident response; and recovery.
CISA also consolidated some goals by eliminating duplicate guidance. Specifically, the agency gathered information technology, operational technology and internet of things goals into a single goal set in recognition of the fact that these categories increasingly are blurred in modern infrastructure. CISA wrote that the changes would allow “small- and medium-sized entities [to] apply one framework across their entire estate, without confusion over domain-specific goals.”
Future updates to the CPGs should arrive at a 24- to 36-month cadence, CISA wrote.
