CISA CPGs

CISA Cross-Sector Cybersecurity Performance Goals 2.0

FrameworkUnited States

The CISA Cybersecurity Performance Goals (CPGs) 2.0 are a set of prioritised cybersecurity practices for critical infrastructure organisations of all sizes. Released December 2025, CPG 2.0 aligns with the NIST CSF 2.0 six-function structure including the new GOVERN function. The goals provide actionable, measurable benchmarks for reducing cyber risk.

Also explore

GDPR DORA NIS2 SOC 2 HIPAA PCI DSS ISO 27001 CMMC IEC 62443 NERC CIP MITRE ATT&CK ICS Saudi OTCC NIST CSF 2.0 NIST 800-53 NIST 800-171 CIS Controls CSA CCM CSA CAIQ

Functions

2.0

Version (Dec 2025)

NIST CSF

Aligned With

CI Sectors

Who Needs to Comply

Critical Infrastructure Operators

All 16 CISA-designated sectors including energy, water, healthcare, and transportation
Federal agencies and government contractors
State, local, tribal, and territorial (SLTT) government entities
Organizations subject to sector-specific regulations (NERC CIP, HIPAA, etc.)

Small & Medium Organisations

Organisations with limited cybersecurity resources or staff
Companies beginning their cybersecurity journey
Supply chain participants serving critical infrastructure
Any organisation seeking a prioritised, achievable set of security goals

Key Compliance Areas

GOVERN

Governance & Oversight

New in CPG 2.0. Leadership accountability, risk management strategy, cybersecurity governance policies, and supply chain risk management.

IDENTIFY/PROTECT

Identification & Protection

Asset management, risk assessment, access control, awareness training, data security, and secure configuration baselines.

DETECT

Detection & Monitoring

Continuous monitoring, anomaly detection, security event analysis, and comprehensive logging and audit trails.

RESPOND

Incident Response

Incident response planning, communication procedures, analysis and mitigation, and incident reporting to CISA.

RECOVER

Recovery & Continuity

Recovery planning, continuity of operations, lessons learned integration, and public communication during recovery.

How Orizon Helps

Baseline Assessment

Evaluate current cybersecurity posture against CPG 2.0 goals across all six functions.

Prioritise by Function

Start with GOVERN and IDENTIFY goals to establish foundational governance and asset awareness.

Implement PROTECT Goals

Deploy access controls, patching procedures, and secure configuration baselines.

Deploy DETECT Capabilities

Enable logging, monitoring, and anomaly detection aligned with CPG detection goals.

Establish RESPOND & RECOVER Plans

Create incident response procedures and test recovery plans regularly.

Continuous Improvement

Reassess quarterly, track progress against CPG benchmarks, and report to CISA as appropriate.

Official Sources

Assess Your Compliance

Expert guidance for your CISA CPGs compliance journey.

Get Started