Cross-Sector Cybersecurity Performance Goals
A common set of protections that all critical infrastructure entities - from large to small - should implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.
CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are a subset of cybersecurity practices, selected through a thorough process of industry, government, and expert consultation, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary Cross-Sector CPGs strive to help small- and medium-sized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes.
The Cross-Sector CPGs are intended to be:
- A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
- A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
- A combination of recommended practices for information technology and operational technology owners, including a prioritized set of security practices.
- Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation.
CISA is proud to introduce the first sets of Sector-Specific Goals (SSGs) that are tailored for organizations in select critical infrastructure sectors. Developed in partnership with Sector Risk Management Agencies (SRMAs) and sector stakeholders, SSGs address unique requirements in select critical infrastructure sectors, and build upon CISA’s Cross-Sector CPGs.
Available Now:
- Cross-Sector CPGs
- Chemical Sector SSGs
- Energy Sector (Distribution and Distributed Energy Resources) SSGs
- Healthcare SSGs
Information Technology SSGs
Coming Soon:
- Financial Services SSGs (Fall 2024)
Scroll down and explore the available SSGs!
Important Cross-Sector CPG Links:
For additional information or questions related to Cross-Sector CPGs and/or SSGs, please email CybersecurityPerformanceGoals@cisa.dhs.gov.
CISA's Cross-Sector CPGs have been organized to align to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) functions. CISA is in the process of updating its Cross-Sector CPGs to align with NIST's CSF 2.0:
- Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
- Identify: The organization’s current cybersecurity risks are understood.
- Protect: Safeguards to manage the organization’s cybersecurity risks are used.
- Detect: Possible cybersecurity attacks and compromises are found and analyzed.
- Respond: Actions regarding a detected cybersecurity incident are taken.
- Recover: Assets and operations affected by a cybersecurity incident are restored.
Browse Featured SSG Content
National Association of Regulatory Utility Commissioners and the U.S. Department of Energy Cybersecurity Baselines for Energy
In February 2024, the National Association of Regulatory Utility Commissioners and the U.S. Department of Energy co-developed a set of cybersecurity baselines for electric distribution systems and distributed energy resources that connect them.
EPA Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems
This document was developed to assist owners and operators of drinking water and wastewater systems (WWSs) with assessing gaps in their current cybersecurity practices and controls and identifying actions that may reduce their risk from cyberattacks.
Chemical Sector-Specific Goals
Chemical SSGs are voluntary practices with high-impact security actions that go beyond Cross-Sector CPGs and are measures where Chemical Sector businesses can take to protect themselves against cyber threats.
U.S. Department of Health and Human Services Health and Public Health Cybersecurity Performance Goals
On January 25, the U.S. Department of Health and Human Services published voluntary healthcare specific Cybersecurity Performance Goals to help healthcare organizations prioritize implementation of high-impact cybersecurity practices.
Information Technology (IT) Sector-Specific Goals
The IT SSGs are additional voluntary practices with high-impact security actions, beyond the Cross-Sector CPGs, that outline measures IT Sector businesses and critical infrastructure owners can take to protect themselves against cyber threats.
Cybersecurity Performance Goals: Sector-Specific Goals
Now that the cross-sector CPGs have been published, CISA is working to develop Sector-Specific Goals (SSGs) for each of the 16 Critical Infrastructure sectors.
Browse Featured CPG Content
Cybersecurity Performance Goals Report
Background on the CPGs, their formation, the model, relation to existing standards, and how they should be used is fully outlined in the CPG Report document.
Cross-Sector Cybersecurity Performance Goals - Slick Sheet
This factsheet provides an overview of the Cybersecurity Performance Goals.
Cybersecurity Performance Goals: Frequently Asked Questions
View frequently asked questions related to CISA's Cybersecurity Performance Goals (CPGs) and learn about the CPGs' relationship to the NIST Cybersecurity Framework (CSF).
Blogs and Videos
Intro to CISA Cybersecurity Performance Goals
CISA Executive Assistant Director for Cybersecurity Eric Goldstein provides intro to the Cybersecurity Performance Goals and how they are an easy first step for any organization to take looking to improve its cyber posture.
Cybersecurity Performance Goals LinkedIn Live
On November 29, we hosted our first LinkedIn Live featuring our Cybersecurity Performance Goals. Missed it? Not a problem. We invite you to watch a recording of it. You can also check out our FAQ document below which includes some Q&A from the event.
Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk
Recently, CISA identified positive trends on two CPGs across nearly 3,500 organizations enrolled in our Vulnerability Scanning service. Read about the findings in this blog.
Take the First Steps Towards Better Cybersecurity With these Four Goals
Every day, organizations across our country are impacted by cyber intrusions, many of which affect the delivery of essential services.
Browse Related Resources
Physical Security Performance Goals for Faith-Based Communities
These goals provide readily implementable, cost-effective solutions and resources to help faith-based communities reduce risk and enhance resilience.
For more information or to seek additional help, contact Central. For media inquiries, please contact CISA Media at CISAMedia@cisa.dhs.gov.