The Cross-Sector Cybersecurity Performance Goals (CPGs) are a prioritized subset of IT and OT cybersecurity practices aimed at reducing risks to critical infrastructure operations. These goals are applicable across all critical infrastructure sectors and are informed by the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry  artners, making them a common set of protections that all critical infrastructures — from large to small — should implement.

The CPGs do not reflect an all-encompassing cybersecurity program – rather, they are a minimum set of practices that organizations should implement and aim to help critical infrastructure entities, particularly small and medium CI, get started on their path toward a strong cybersecurity posture.

As such, the CPGs are intended to be a floor, not a ceiling, for what cybersecurity protections CI should implement to reduce their cyber risk. Importantly, the CPGs:

• represent a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors, and will be followed by sector-specific goals that dive deeper into the unique constraints, threats, and maturity of each sector where applicable.
• are intended to be voluntarily adopted by organizations to enable prioritization of security investments toward the most critical outcomes, in conjunction with broader frameworks.
• apply to all critical infrastructures and are not tiered into “maturity” categories.