CISA Releases First Ever Cross-Sector CPGs. What's Inside?

Cybersecurity News

CISA has finally released its highly anticipated Cross-Sector Cybersecurity Performance Goals in collaboration with DHS, NIST and numerous industry leaders.
The Performance Goals (or CPGs) come as a response to National Security Memorandum (NSM)-5 which President Biden signed in 2021, instructing CISA to develop baseline cybersecurity goals that are consistent across all critical infrastructure sectors.

At the time, geopolitical tensions had risen precipitously, and the US was looking to shore up its critical infrastructure against digital attacks from foreign actors like Russia, China, and North Korea.

What are the CPGs?

The CPGs are a prioritized list of cybersecurity practices that combat the most common and impactful security threats, specifically those facing critical infrastructure entities. The framework incorporates both IT and OT, and is designed to function in tandem with broader cybersecurity frameworks such as the NIST CSF.

The framework is divided into 8 categories, covering issues ranging from Data Security and Vulnerability Management to Governance and Incident Response. Each category is further broken down into a series of best practices, along with detailed goals, scope, recommended actions, and NIST mapping. Along with the CPGs themselves, CISA released a workbook to help guide organizations during the implementation process, as well as a data matrix that contains all the raw CPG data and mappings to other leading frameworks.

What the CPGs are not


  • The CPGs do not address every industry or protect every organization. They present a minimum level of protection that is relevant for most industries. (Industry-specific frameworks are still being planned by CISA.) Similarly, the guidelines contained in the CPGs are intended to be used by all organizations, regardless of maturity status. However, the workbook does include associated costs and complexity for each security practice, helping companies appropriately prioritize their efforts.

Risk Management

  • The CPGs are intended to help organizations, and SMEs in particular, establish a baseline of standardized and effective security practices. It does not replace broader risk management procedures which are covered in other frameworks.


  • The Cross-Sector Cybersecurity Performance Goals are voluntary guides. They are not mandated by any legal or industry bodies.

Areas of Focus


  • Basic credential hygiene composes the bulk of the first section of the CPGs. Practices like password complexity, unique passwords, changing default credentials, access management and MFA may be nothing new, but many organizations continue to struggle with implementation. For many, common sense authentication will go a long way in boosting their security posture without any costly or complex upgrades.


  • It's become clear over the last decade that many security challenges simply cannot be addressed with technology alone. Social attacks have continued to rise, often with startling success rates. Furthermore, security policies need to be properly understood, implemented, and maintained. Accordingly, the CPGs contain a series of targeted recommendations to help increase cyber awareness throughout the organization as well as encourage inter-departmental collaboration. (There is even a suggestion to host "at least one pizza party" per year to strengthen relationships between IT and OT personnel.) Other, less delicious, recommendations include regular training sessions, segmented governance roles, and strong leadership.

Attack Surface Management

  • An organization's attack surface represents the entirety of its exposure to external threats. As tech stacks deepen and dependencies increase, many organizations have struggled to maintain an accurate understanding of their attack surface, let alone protect it. The CPGs issue a string of recommendations around limiting your exposure to the public internet, assessing third party risks, and patch management.

Incident Response

  • Maintaining up-to-date system backups is one of the most effective ways to mitigate ransomware or other types of malware attacks. CISA recommends that organizations perform backups at least once per year. In addition, IR plans should be as realistic as possible and response plans for both common and organizationally-specific threat scenarios and TTPs should be practiced. Managed threat detection, or log monitoring, can go a long way in reducing the time-to-detection, vastly limiting the potential fallout.

To view the 2022 Cross-Sector Cybersecurity Performance Goals in their entirety, visit

Silent Breach can assist in understanding your company's posture with respect to the CPGs and guide you in implementing the gaps to meet this new regulation. To learn more, contact or visit us at

Similar Reads:
Blockchain Security: A Brief Overview
Are We At (Cyber) War With China?
How the Dark Web Can Protect Your Company

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.