CISA Releases Cross-Sector Cybersecurity Performance Goals 2.0
CISA launched CPG 2.0, aligning with NIST CSF 2.0 framework, introducing a new "Govern" function for executive accountability, and consolidating IT/OT security goals for clearer, actionable guidance.
The Cybersecurity and Infrastructure Security Agency (CISA) has released version 2.0 of its Cross-Sector Cybersecurity Performance Goals (CPGs), providing organizations with an updated framework for integrating cybersecurity into daily operations. The enhanced guidance aligns with the NIST Cybersecurity Framework 2.0 and incorporates three years of operational insights.
What's New in CPG 2.0
The updated Cybersecurity Performance Goals include several significant improvements:
- New "Govern" function: Underscores the critical role of organizational leadership in cybersecurity
- Executive accountability: New goals focused on risk management strategy and policy development
- Consolidated IT/OT goals: Unified approach eliminates silos across IT, IoT, and OT environments
- Streamlined guidance: Redundant and unclear goals removed to improve usability
Alignment with NIST CSF 2.0
CPG 2.0 maps directly to the NIST Cybersecurity Framework 2.0, enabling organizations to:
- Use consistent terminology across frameworks
- Measure progress against industry-standard benchmarks
- Demonstrate compliance to regulators and stakeholders
- Prioritize investments based on risk-informed guidance
The Govern Function
The new "Govern" function represents the most significant addition to CPG 2.0. It emphasizes that cybersecurity is a business risk requiring executive attention, not just a technical concern. Key governance goals include:
- Establishing organizational cybersecurity strategy
- Defining roles and responsibilities
- Integrating cyber risk into enterprise risk management
- Ensuring adequate resources for security programs
Operational Technology Integration
CPG 2.0 consolidates previously separate IT and OT security goals into universal guidance. This reflects the reality that modern organizations operate interconnected environments where traditional boundaries between IT and OT systems have blurred.
Implementation Resources
CISA provides supporting materials for each goal, including:
- Clear methodology for implementation
- Metrics for measuring progress
- Reference architectures and best practices
- Mapping to regulatory requirements
The updated CPGs are available on CISA's website and are recommended for organizations of all sizes seeking to improve their cybersecurity posture.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.