In July 2021, President Biden issued a National Security Memorandum requiring the development of cross-sector Cybersecurity Performance Goals (CPGs) by the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to enhance the cybersecurity of critical infrastructure control systems. The CPGs are voluntary and intended to provide a common set of fundamental cybersecurity practices for all critical infrastructure sectors, with a focus on helping small- and medium-sized organizations improve their cybersecurity efforts.
The first version of the CPGs was published in October 2022. Since publication, CISA received feedback from multiple sectors requesting more streamlined mapping to the related NIST CSF functions. To address this, CISA has released an updated version of the CPGs in March 2023 (version 1.0.1) that reorganizes the goals based on the NIST CSF functions (Identify, Protect, Detect, Respond, and Recover). The reordering and renumbering of the goals align them more closely with the NIST CSF functions, and accompanying documents like the Checklist and Matrix have been adjusted accordingly. Additionally, the updated version includes changes to the MFA goal based on recently published CISA guidance, and a new goal based on GitHub feedback to help organizations with recovery planning.
The CPGs are a prioritized subset of IT and OT cybersecurity practices that aim to significantly reduce risks to both critical infrastructure operations and the American people. They are applicable across all critical infrastructure sectors and are based on the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. The CPGs do not represent a comprehensive cybersecurity program, but rather a minimum set of practices that organizations should aim to implement to improve their cybersecurity posture.
CISA intends to update the CPGs regularly, with a targeted revision cycle of at least every 6 to 12 months. The updated CPGs represent an important step towards enhancing the cybersecurity of critical infrastructure control systems and helping organizations of all sizes to improve their cybersecurity efforts.
