Start your day with intelligence. Get The OODA Daily Pulse.

Home > Analysis > CISA Releases Voluntary Cross-Sector Cybersecurity Performance Goals

In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.

The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people.

The CPGs are intended to be:

  • A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
  • A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
  • Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.

The CPGs are:

  • Voluntary: The National Security Memorandum does not create new authorities that compel owners and operators to adopt the CPGs or provide any reporting regarding or related to the CPGs to any government agency.
  • Not Comprehensive. They do not identify all the cybersecurity practices needed to protect national and economic security and public health and safety. They capture a core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.

As directed by President Biden’s NSM, the CPGs are intended to supplement the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) for organizations seeking assistance in prioritizing investment toward a limited number of high-impact security outcomes, whether due to gaps in expertise, resources, or capabilities or to enable focused improvements across suppliers, vendors, business partners, or customers.

In an effort to accelerate adoption of essential actions to improve cybersecurity across the nation’s critical infrastructure providers, the CPGs recommend an abridged subset of actions to help organizations prioritize their security investments

Full background on the CPGs, their formation, the model, relation to existing standards, and how they should be used is fully outlined in the document. (1)

CISA developed the CPGs in close partnership with organizations across government and the private sector. The resulting CPGs are intended to be implemented in concert with the NIST Cybersecurity Framework. The CPGs prescribe an abridged subset of actions to help organizations prioritize their security investments.

“To reduce risk to the infrastructure and supply chains that Americans rely on every day, we must have a set of baseline cybersecurity goals that are consistent across all critical infrastructure sectors,” said CISA Director Jen Easterly. “CISA has created such a set of cybersecurity performance goals to address medium-to-high impact cybersecurity risks to our critical infrastructure. For months, we’ve been gathering input from our partners across the public and private sectors to put together a set of concrete actions that critical infrastructure owners can take to drive down risk to their systems, networks and data. We look forward to seeing these goals implemented over the coming years and to receiving additional feedback on how we can improve future versions to most effectively reduce cybersecurity risk to our country.”

“Given the myriad serious cybersecurity risks our nation faces, NIST looks forward to continuing to work with industry and government organizations to help them achieve these performance goals,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “Our priority remains bringing together the right stakeholders to further develop standards, guidelines and practices to help manage and reduce cybersecurity risk.”

In the months ahead, CISA will actively seek feedback on the CPGs from partners across the critical infrastructure community and has established a Discussions webpage to receive this input. CISA will also begin working directly with individual critical infrastructure sectors as it builds out sector-specific CPGs in the coming months. (2)

Quick Links

Guide Icon Cross-Sector Baseline Cybersecurity Performance Goals (CPGs)

This is the core document, providing a select list of attestable goals to reduce cyberthreat to your organization.

Checklist Icon CPGs Checklist

This document is to be used in tandem with the CPGs to help prioritize and track your organization’s implementation.

Spreadsheet Icon Complete CPGs Matrix/Spreadsheet

This is the master source document for the CPGs, including all reference information and resource links.

Discussion Icon GitHub Discussion Page

This virtual forum has been established by CISA to discuss and collaborate on community-proposed additions, changes, and other considerations for future versions of the CPGs.

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Strategies, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.