Updated CISA Cybersecurity Performance Goals (CPGs)

The Cybersecurity and Infrastructure Security Agency (CISA) published version 2.0 of their Cross-Sector Cybersecurity Performance Goals (CPGs). Let's take a look at the CPGs and what changed in this latest version.

About the CPGs

The CPGs are one of four frameworks the federal banking agencies listed as an alternative to the Cybersecurity Assessment Tool (CAT) in the FFIEC CAT Sunset Statement.

While the Cross-Sector CPGs are not intended to be a comprehensive cybersecurity framework, they are designed to outline the highest priority items organizations should focus on implementing to improve their cybersecurity posture.

This makes them a good starting point for smaller organizations and a great layer in any cybersecurity program.

Changes in CPG Version 2.0

The latest version of the CISA CPGs brings new, removed, and updated goals, designed to improve and better align the CPGs with the NIST Cybersecurity Framework (CSF) and other current industry best practices. Here's an overview of the changes.

New Goals

There are six new goals in the CPGs.

• 1.B Manage Cybersecurity Oversight
• 1.E Manage Risks from Managed Service Providers
• 3.H Implement the Principles of Least Privilege
• 4.A Establish Malicious Code Detection
• 4.B Identify Adverse Events
• 5.A Establish Incident Communication Procedures

While the previous version of the CPGs addressed some of these areas at a higher (inferred) level, the updated CPGs now clearly state expectations for these common security best practices.

Removed Goals

Three goals were removed from the CPGs.

• 1.I Vendor/Supplier Cybersecurity Requirements
• 3.A Detecting Relevant Threats and TTPs
• 4.C Deploy Security.txt Files

These three goals were removed as they overlapped with other goals. The outcomes still exist in other CPGs, but they no longer exist in a standalone way.

Updated Goals

Here's an overview of some key updates.

Some goals were moved from one function to another. For example, 2.S Incident Response (IR) Plans (Protect) is now 1.C Manage Incident Response Plans (Govern).

The scope of some goals was expanded. For example:

• The goal about revoking credentials for departing "employees" was expanded to include all "staff" (e.g., personnel, contractors, vendors).
• The goal about "device configurations" was expanded to more broadly address "change management processes."
• The goal about "system backups" was expanded to include "restoration ability" requirements.

Overlapping goals were combined. For example:

• The three cybersecurity leadership goals (1.B, 1.C, and 1.D) were combined into one about cybersecurity responsibilities (1.A).
• The two data protection controls (2.K and 2.L) were combined into one about strong encryption (3.K).
• The two log management goals (2.T and 2.U) were combined into one about log collection and storage (3.Q).

OT-specific goals were removed and incorporated into descriptions. For example, the previous version had several goals that were specific to operational technology (OT) (e.g., 1.C OT Cybersecurity Leadership, 2.J OT Cybersecurity Training, 2.X Limit OT Connections to Public Internet). Now, relevant goals have details in the "Recommended Action" field to explain how the goal applies to OT.

New Companion Guide

CISA also published a new Cross-Sector Cybersecurity Performance Goals companion guide to help organizations with their implementation and assessment of the CPGs.

This guide provides an overview of the CPGs, alongside helpful context, mappings to NIST frameworks, available CISA resources, and other tools designed to improve an organization's cybersecurity posture.

Assess the Updated CPGs with Tandem

Tandem's free Cybersecurity Assessment software now includes a framework template for the updated CISA CPGs v2.0. With features for gap analysis, control mapping, peer analysis, presentation documents, and more, Tandem is designed to help you perform cybersecurity control self-assessments with ease.

Additionally, Pro users can import their answers as a starting point from a completed assessment based on the previous version of the CPGs (v1.0.1).

Learn more and sign up for the free version at Tandem.App/Cybersecurity.