CISA Releases Updated Cybersecurity Performance Goals (CPGs) for Critical Infrastructure

Executive Summary

On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an updated version of its voluntary Cybersecurity Performance Goals (CPGs). These CPGs serve as a recommended baseline of fundamental cybersecurity practices for all critical infrastructure entities. The latest revision incorporates alignments with recent updates to National Institute of Standards and Technology (NIST) frameworks and introduces a heightened focus on governance and accountability. The goal is to provide organizations, particularly small and medium-sized ones, with a clear, prioritized set of actions to significantly reduce risk from the most common cyber threats.

Regulatory Details

The Cybersecurity Performance Goals are voluntary and not legally mandated. However, they represent CISA's official recommendation for a minimum standard of cybersecurity hygiene and are influential in shaping both regulatory expectations and industry best practices.

Key Updates in the New Version

• Alignment with NIST: The CPGs are now more closely aligned with the latest versions of NIST's cybersecurity standards, including the NIST Cybersecurity Framework (CSF) 2.0. This ensures consistency across federal guidance.
• Emphasis on Governance: The updated CPGs place a new and significant emphasis on the 'Govern' function. This includes goals related to establishing clear cybersecurity leadership, defining roles and responsibilities, and integrating risk management into core business strategy.
• Focus on Accountability: The guidance pushes for clear accountability for cybersecurity risk, from the executive level down. It encourages organizations to ensure that risk ownership is well-defined and understood.
• Measurable Actions: The CPGs continue to be a list of specific, measurable actions rather than abstract principles, making it easier for organizations to assess their posture and plan improvements.

Affected Organizations

The CPGs are intended for all 16 U.S. critical infrastructure sectors, including but not limited to:

• Healthcare and Public Health
• Energy
• Financial Services
• Water and Wastewater Systems
• Communications
• Transportation Systems

While the goals are designed to be universally applicable, they are especially valuable for small and medium-sized businesses within these sectors that may lack dedicated cybersecurity resources.

Compliance Requirements

As the CPGs are voluntary, there are no direct compliance requirements or penalties for non-adoption. However, adopting the CPGs can help organizations:

• Demonstrate due care in managing cybersecurity risk, which can be beneficial in legal and regulatory contexts.
• Prepare for future mandatory cybersecurity regulations.
• Provide a structured framework for prioritizing security investments and efforts.

Impact Assessment

The updated CPGs signal a strategic shift in CISA's guidance towards making cybersecurity a core business governance issue, not just an IT problem. By emphasizing governance and accountability, CISA aims to drive a cultural change where cybersecurity is managed as a fundamental business risk. For organizations, adopting these goals can lead to a more resilient security posture by focusing resources on the controls that are most effective against the most likely threats. This can help reduce the frequency and impact of cyber incidents, protecting both the organization and the public services that rely on it.

Compliance Guidance

Organizations seeking to adopt the updated CPGs should take the following steps:

1. Conduct a Gap Analysis: Review the list of CPGs and compare them against your organization's current security controls and policies to identify gaps.
2. Prioritize Implementation: Use the CPGs as a guide to prioritize security initiatives. Focus on foundational goals like asset management, access control, and vulnerability management first.
3. Engage Leadership: Use the new governance-focused goals to engage with executive leadership and the board of directors. Frame cybersecurity not as a cost center, but as a critical component of business risk management.
4. Document and Measure: For each CPG, document how your organization meets the goal and establish metrics to measure your performance over time. This will demonstrate progress and justify continued investment.