An abstract of cyber lines

Cross-Sector Cybersecurity Performance Goals

A common set of protections that all critical infrastructure entities - from large to small - should implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.

CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are a subset of cybersecurity practices, selected through a thorough process of industry, government, and expert consultation, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary Cross-Sector CPGs strive to help small- and medium-sized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. 

The Cross-Sector CPGs are intended to be: 
  • A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.    
  • A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.    
  • A combination of recommended practices for information technology and operational technology owners, including a prioritized set of security practices.    
  • Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.     

CISA is proud to introduce the first sets of Sector-Specific Goals (SSGs) that are tailored for organizations in select critical infrastructure sectors. Developed in partnership with Sector Risk Management Agencies (SRMAs) and sector stakeholders, SSGs address unique requirements in select critical infrastructure sectors, and build upon CISA’s Cross-Sector CPGs

Available Now: 
  • Cross-Sector CPGs
  • Chemical Sector SSGs 
  • Energy Sector (Distribution and Distributed Energy Resources) SSGs 
  • Healthcare SSGs

  • Information Technology SSGs

Coming Soon: 
  • Financial Services SSGs (Winter 2025) 

Scroll down and explore the available SSGs! 

Important Cross-Sector CPG Links:

View All CPGs

For additional information or questions related to Cross-Sector CPGs and/or SSGs, please email CybersecurityPerformanceGoals@cisa.dhs.gov.

CISA's Cross-Sector CPGs have been organized to align to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) functions. CISA is in the process of updating its Cross-Sector CPGs to align with NIST's CSF 2.0: 

  1. Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
  2. Identify: The organization’s current cybersecurity risks are understood.
  3. Protect: Safeguards to manage the organization’s cybersecurity risks are used.
  4. Detect: Possible cybersecurity attacks and compromises are found and analyzed.
  5. Respond: Actions regarding a detected cybersecurity incident are taken.
  6. Recover: Assets and operations affected by a cybersecurity incident are restored.

Browse Featured SSG Content

JCDC Artificial Intelligence Cyber Tabletop Exercise

National Association of Regulatory Utility Commissioners and the U.S. Department of Energy Cybersecurity Baselines for Energy

In February 2024, the National Association of Regulatory Utility Commissioners and the U.S. Department of Energy co-developed a set of cybersecurity baselines for electric distribution systems and distributed energy resources that connect them.

A photo of a water system

EPA Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems

This document was developed to assist owners and operators of drinking water and wastewater systems (WWSs) with assessing gaps in their current cybersecurity practices and controls and identifying actions that may reduce their risk from cyberattacks.

Chemical facility

Chemical Sector-Specific Goals

Chemical SSGs are voluntary practices with high-impact security actions that go beyond Cross-Sector CPGs and are measures where Chemical Sector businesses can take to protect themselves against cyber threats.

Graphic for Healthcare CPGs

U.S. Department of Health and Human Services Health and Public Health Cybersecurity Performance Goals

On January 25, the U.S. Department of Health and Human Services published voluntary healthcare specific Cybersecurity Performance Goals to help healthcare organizations prioritize implementation of high-impact cybersecurity practices.

Magenta and blue circuit board with central chip as the focus

Information Technology Sector-Specific Goals

IT SSGs are voluntary practices with high-impact security actions that go beyond Cross-Sector CPGs and are measures where IT Sector businesses can take to protect themselves against cyber threats.

A landscape view of a large city with cyber map nodes overlayed over the sky

Cybersecurity Performance Goals: Sector-Specific Goals

Now that the cross-sector CPGs have been published, CISA is working to develop Sector-Specific Goals (SSGs) for each of the 16 Critical Infrastructure sectors.

Boston's financial district buildings

Financial Sector-Specific Goals

Browse Featured CPG Content

Abstract cyber background with a pcb overlayed with a lock icon

Cybersecurity Performance Goals Report

Background on the CPGs, their formation, the model, relation to existing standards, and how they should be used is fully outlined in the CPG Report document.

Cross-Sector Cybersecurity Performance Goals - Slick Sheet

This factsheet provides an overview of the Cybersecurity Performance Goals.

Data Center With Rows of Rack Servers Connected with LAN Connection Visualization Lines.

Cybersecurity Performance Goals: Frequently Asked Questions

View frequently asked questions related to CISA's Cybersecurity Performance Goals (CPGs) and learn about the CPGs' relationship to the NIST Cybersecurity Framework (CSF).

Blogs and Videos

CISA Cybersecurity Performance Goals Document image from Intro to CISA Cybersecurity Performance Goals video

Intro to CISA Cybersecurity Performance Goals

Intro to the Cybersecurity Performance Goals and how they are an easy first step for any organization to take looking to improve its cyber posture.

Graphic showing that the LinkedIn Live recording is now available.

Cybersecurity Performance Goals CISA Live!

On November 29, 2023, we hosted our first CISA Live! on LinkedIn featuring our Cybersecurity Performance Goals. We invite you to watch a recording of it. You can also check out our FAQ document which includes some Q&A from the event.

computer with digital floating screen

Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk

Recently, CISA identified positive trends on two CPGs across nearly 3,500 organizations enrolled in our Vulnerability Scanning service. Read about the findings in this blog.

An abstract image of the globe with cyber elements

Take the First Steps Towards Better Cybersecurity With these Four Goals

Every day, organizations across our country are impacted by cyber intrusions, many of which affect the delivery of essential services. 

Browse Related Resources

A crowd of people with a colorful background

Physical Security Performance Goals for Faith-Based Communities

These goals provide readily implementable, cost-effective solutions and resources to help faith-based communities reduce risk and enhance resilience.

individuals working on a computer

Downloading and Installing CSET

The Cyber Security Evaluation Tool (CSET) provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture. 

For more information or to seek additional help, contact Central. For media inquiries, please contact CISA Media at CISAMedia@cisa.dhs.gov.