Cross-Sector Cybersecurity Performance Goals | CISA

type

status

date

summary

category

URL

password

slug

icon

An abstract of cyber lines

CISA's Cybersecurity Performance Goals (CPGs) are a subset of cybersecurity practices, selected through a thorough process of industry, government, and expert consultation, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary CPGs strive to help small- and medium-sized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes.

The CPGs are intended to be:

A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.

A combination of recommended practices for information technology (IT) and operational technology (OT) owners, including a prioritized set of security practices.

Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.

A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.

CISA's CPGS have been organized to align to the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) functions:

Identify: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Protect: Develop and implement the appropriate safeguards to ensure delivery of services.

Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that we impaired due to a cybersecurity event.