CISA Cybersecurity Performance Goals (CPG)

Why it Matters

CISA Cybersecurity Performance Goals help organizations focus onessential security practices to mitigate cyber risks and bolsteroverall resilience.

Key benefits include:

• Strengthen cybersecurity governance

Enableorganizations to establish clear security objectives, roles, andpriorities that enhance program accountability and strategicdirection.

• Enhance operational resilience

Reduce thelikelihood and impact of cyber incidents by establishing reliablebaseline controls for critical assets and services.

• Improve regulatory and standards alignment

Facilitatealignment with industry-recognized frameworks and support ongoingcompliance with regulatory and contractual cybersecurity obligations.

• Support continuous risk management

Encourage regularrisk assessments and progress reviews to adapt controls based onevolving threats and organizational needs.

• Increase audit readiness

Document clearcyber objectives and measurable progress, making it easier todemonstrate security program effectiveness during internal andexternal assessments.

How it Works

The CISA Cybersecurity Performance Goals (CPG) framework establishesa set of prioritized cybersecurity practices structured around keysecurity objectives and cross-industry requirements. It organizesthese practices into essential security controls and technicalsafeguards mapped to critical governance domains, risk managementprinciples, and regulatory expectations. The framework is designed tobe actionable and measurable, providing a baseline of cybersecurityperformance applicable across industries, with controls grouped inareas such as identity protection, device management, protectivetechnology, and incident response.

In practice, organizations utilize the CISA CPGs by implementing therecommended security controls within their operational environments.They conduct risk assessments to identify gaps, monitor compliancewith performance goals, strengthen governance, and enhance theiroverall security posture. Frequent evaluations and ongoing monitoringhelp track progress toward achieving the CPGs, while periodicassessments support regulatory compliance and continuous improvementof security practices.

SmartSuite enables organizations to operationalize the CISA CPGsthrough pre-built control libraries, integrated risk registers,policy governance tools, and evidence collection features. Compliancetracking modules and remediation workflows streamline management ofcorrective actions, while reporting dashboards provide real-timevisibility into performance against security goals and regulatoryobligations.

Key Elements

• Network Security Safeguards

Definesprotections for network infrastructure, covering segmentation,perimeter defenses, and secure communications.

• Access Management Principles

Describes thefoundational requirements for controlling user and system privilegesand authentication mechanisms.

• Vulnerability Management Processes

Specifies methodsfor identifying, assessing, and addressing security flaws andexposures.

• Incident Response Capabilities

Outlinesstructured approaches to preparing for and managing cybersecurityincidents and breaches.

• Supply Chain Risk Oversight

Establishescriteria for evaluating third-party risks and ensuring vendorsecurity practices.

• Performance Monitoring Metrics

Organizesmeasurement and review mechanisms for tracking progress againstcybersecurity goals.

• Governance and Policy Integration

Structuresoversight functions and policy development within the cybersecurityprogram.

Framework Scope

CISA Cybersecurity Performance Goals (CPG) is adopted by criticalinfrastructure operators, public entities, and private sectororganizations responsible for safeguarding key information systemsand industrial control environments. It is typically integratedduring initiatives to enhance baseline security postures, guide riskmanagement, and support compliance assessments within evolving threatlandscapes.

Framework Objectives

CISA Cybersecurity Performance Goals (CPG) provides foundationalobjectives to guide organizations in managing cybersecurity risk andstrengthening security posture.

Strengthen governance and oversight of cybersecurity and riskmanagement processes

Enhance protection of critical data and information systems fromcyber threats

Support compliance with regulatory requirements and industry securitystandards

Improve operational resilience to minimize the impact of potentialcyber incidents

Enable effective risk management and measurement through definedsecurity controls

Promote continuous improvement in data protection and incidentresponse capabilities CISA Cybersecurity Performance Goals (CPG)align with and map to existing frameworks such as the NISTCybersecurity Framework, CIS Critical Security Controls, NIST SP800-53 and NIST SP 800-207 (Zero Trust), offering prioritizedobjectives. Organizations adopt CPGs for regulatory alignment,governance, risk reduction, and to drive operational securityimprovements or federal compliance efforts.

Common Framework Mappings

Organizations map CISA Cybersecurity Performance Goals (CPG) toestablished frameworks to ensure consistent controls, streamlineaudits, enable regulatory alignment, and leverage existing mappingsand threat and control taxonomies for risk management.

Mapped frameworks include:

CIS Critical Security Controls

ISO/IEC 27001

MITRE ATT&CK

NIST Cybersecurity Framework

NIST SP 800-171

NIST SP 800-207

NIST SP 800-53

SOC 2