CISA Cybersecurity Performance Goals (CPG)

Overview

CISACybersecurity Performance Goals (CPG) is a set of voluntarycybersecurity objectives that help organizations identify andprioritize minimum essential practices for managing cybersecurityrisk. The framework offers concrete guidance on implementing baselinesecurity measures critical to defending against common threats andreducing potential impact from cyber incidents.

Developed by theCybersecurity and Infrastructure Security Agency (CISA), the CPGsprovide actionable recommendations for critical infrastructureoperators, public sector entities, and private organizations of allsizes. The framework focuses on core areas including networksecurity, access control, vulnerability management, incidentresponse, and supply chain risk.

Organizationsimplement the CPGs by integrating performance goals into theircybersecurity programs, performing risk assessments, and regularlymonitoring progress against these goals. The framework supportscompliance initiatives, complements standards like NIST CybersecurityFramework and CIS Controls, and strengthens overall risk managementand operational resilience.

Why it Matters

CISACybersecurity Performance Goals help organizations focus on essentialsecurity practices to mitigate cyber risks and bolster overallresilience.

Key benefitsinclude:

•  Strengthen cybersecurity governance

Enableorganizations to establish clear security objectives, roles, andpriorities that enhance program accountability and strategicdirection.

•  Enhance operational resilience

Reduce thelikelihood and impact of cyber incidents by establishing reliablebaseline controls for critical assets and services.

•  Improve regulatory and standards alignment

Facilitatealignment with industry-recognized frameworks and support ongoingcompliance with regulatory and contractual cybersecurity obligations.

•  Support continuous risk management

Encourageregular risk assessments and progress reviews to adapt controls basedon evolving threats and organizational needs.

•  Increase audit readiness

Document clearcyber objectives and measurable progress, making it easier todemonstrate security program effectiveness during internal andexternal assessments.

How it Works

The CISACybersecurity Performance Goals (CPG) framework establishes a set ofprioritized cybersecurity practices structured around key securityobjectives and cross-industry requirements. It organizes thesepractices into essential security controls and technical safeguardsmapped to critical governance domains, risk management principles,and regulatory expectations. The framework is designed to beactionable and measurable, providing a baseline of cybersecurityperformance applicable across industries, with controls grouped inareas such as identity protection, device management, protectivetechnology, and incident response.

In practice,organizations utilize the CISA CPGs by implementing the recommendedsecurity controls within their operational environments. They conductrisk assessments to identify gaps, monitor compliance withperformance goals, strengthen governance, and enhance their overallsecurity posture. Frequent evaluations and ongoing monitoring helptrack progress toward achieving the CPGs, while periodic assessmentssupport regulatory compliance and continuous improvement of securitypractices.

SmartSuiteenables organizations to operationalize the CISA CPGs throughpre-built control libraries, integrated risk registers, policygovernance tools, and evidence collection features. Compliancetracking modules and remediation workflows streamline management ofcorrective actions, while reporting dashboards provide real-timevisibility into performance against security goals and regulatoryobligations.

Key Elements

•  Network Security Safeguards

Definesprotections for network infrastructure, covering segmentation,perimeter defenses, and secure communications.

•  Access Management Principles

Describes thefoundational requirements for controlling user and system privilegesand authentication mechanisms.

•  Vulnerability Management Processes

Specifiesmethods for identifying, assessing, and addressing security flaws andexposures.

•  Incident Response Capabilities

Outlinesstructured approaches to preparing for and managing cybersecurityincidents and breaches.

•  Supply Chain Risk Oversight

Establishescriteria for evaluating third-party risks and ensuring vendorsecurity practices.

•  Performance Monitoring Metrics

Organizesmeasurement and review mechanisms for tracking progress againstcybersecurity goals.

•  Governance and Policy Integration

Structuresoversight functions and policy development within the cybersecurityprogram.

Framework Scope

CISACybersecurity Performance Goals (CPG) is adopted by criticalinfrastructure operators, public entities, and private sectororganizations responsible for safeguarding key information systemsand industrial control environments. It is typically integratedduring initiatives to enhance baseline security postures, guide riskmanagement, and support compliance assessments within evolving threatlandscapes.

Framework Objectives

CISACybersecurity Performance Goals (CPG) provides foundationalobjectives to guide organizations in managing cybersecurity risk andstrengthening security posture.

•  Strengthen governance and oversight of cybersecurity and riskmanagement processes

•  Enhance protection of critical data and information systems fromcyber threats

•  Support compliance with regulatory requirements and industrysecurity standards

•  Improve operational resilience to minimize the impact ofpotential cyber incidents

•  Enable effective risk management and measurement through definedsecurity controls

•  Promote continuous improvement in data protection and incidentresponse capabilities CISA Cybersecurity Performance Goals (CPG)align with and map to existing frameworks such as the NISTCybersecurity Framework, CIS Critical Security Controls, NIST SP800-53 and NIST SP 800-207 (Zero Trust), offering prioritizedobjectives. Organizations adopt CPGs for regulatory alignment,governance, risk reduction, and to drive operational securityimprovements or federal compliance efforts.

Common Framework Mappings

Organizationsmap CISA Cybersecurity Performance Goals (CPG) to establishedframeworks to ensure consistent controls, streamline audits, enableregulatory alignment, and leverage existing mappings and threat andcontrol taxonomies for risk management.

Mappedframeworks include:

CIS CriticalSecurity Controls

ISO/IEC 27001

MITRE ATT&CK

NISTCybersecurity Framework

NIST SP 800-171

NIST SP 800-207

NIST SP 800-53

SOC 2