CISA and Cross-Sector Cybersecurity Performance

Michael Peters

6 hours ago

CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) reflect the federal government’s effort to raise the baseline for basic cybersecurity effectiveness. CPG 2.0 breaks away from the idea of a strict framework, instead establishing a strategic, outcome-driven baseline for cybersecurity performance that cuts across industries, operating environments, and organizational maturity levels.

For CISOs, CIOs, and compliance officers, the value of CPG 2.0 lies in its reframing of cybersecurity as a set of measurable performance expectations anchored in governance and risk management.

Why Cross-Sector Performance Goals Exist at All

Most organizations already operate within multiple cybersecurity frameworks and regulatory jurisdictions, all of which call for overlapping and (in some cases) competing resources. While these frameworks provide structure, they often fail to answer a more fundamental question about risk management.

CPGs were created to define the highest-impact cybersecurity outcomes that organizations should reasonably achieve, regardless of industry, as a baseline. They are intentionally sector-agnostic, reflecting a growing consensus among policymakers and practitioners that cybersecurity resilience is not achieved by implementing everything, but by prioritizing the right things and measuring their effectiveness.

What Makes CPG 2.0 Different From Traditional Frameworks

The original CPGs were introduced in 2022 to set up an agnostic set of best practices and outcomes that would benefit any agency or business. The most notable change during the move to 2.0 is the explicit elevation of governance to a first-class cybersecurity function. By foregrounding governance, CPG 2.0 reframes cybersecurity as a leadership responsibility rather than a purely technical domain. For CISOs and CIOs, this provides a stronger foundation for engaging boards and executives in meaningful risk discussions. For compliance officers, it creates a clearer line between cybersecurity activities and enterprise risk management.

CPG 2.0 in Practice: The Six Functions and Their Core Goals

Govern: Leadership, Accountability, and Cyber Risk Strategy

The inclusion of Governance as a core function is a defining innovation of CPG 2.0. It transforms cybersecurity from a technical discipline into a strategic enterprise risk capability.

Governance goals require leadership engagement in cybersecurity oversight, straightforward assignment of roles and responsibilities, and integration with broader business risk strategy. They also emphasize managing risks from third-party providers, making cybersecurity a board-level conversation rather than an IT task.

From an executive perspective, this means:

Establishing risk tolerances and priorities in line with business objectives.
Ensuring cyber strategy is reflected in enterprise planning, budgeting, and risk reporting.
Holding business owners accountable for cyber performance outcomes.

By embedding governance at the core, CPG 2.0 reinforces that cybersecurity performance must be visible to the C-suite and board, not buried in tactical reports.

Identify: Understanding the Environment and Risk Landscape

The Identify function requires organizations to gain a rich, contextual awareness of assets, dependencies, and risks. This goes beyond basic inventories to include supply chain exposure, third-party software dependencies, and organizational priorities.

Performance goals under Identify push teams to:

Understand which assets are critical to mission and operations.
Recognize how changes (such as third-party integrations or technology rollouts) expand the risk landscape.
Validate asset and vulnerability data against real-world risk scenarios.

This capability is essential for executive-level decision-making because it informs discussions on where investment has the greatest impact and where exposure could disrupt revenue or operations.

Protect: Controls That Reduce Risk and Limit Impact

Protect goals spell out expectations for defenses that reduce risk exposure. These include identity and access management, network segmentation, secure configurations, encryption, and backup strategies.

Rather than listing controls, CPG 2.0 reframes them as performance outcomes, whether these safeguards genuinely limit the effectiveness of an attack and contain the blast radius in the event of an incident.

For example, goals under Protect emphasize:

Least-privilege and strong authentication.
Segmentation that limits lateral movement.
Security measures that reduce operational risk without impeding business processes.

Detect: Turning Noise into Insight

The difference between a reactive and a proactive business is in their ability to detect security issues. Detection capabilities are a key differentiator between organizations that react to incidents and those that respond proactively. CPG 2.0 frames detection as a performance metric that measures visibility, context, and the timely identification of adverse events.

Specific performance expectations include:

Systems that detect malicious code and abnormal activity in a meaningful timeframe.
The ability to distinguish between benign and malicious events with precision.
Mechanisms that support escalation, investigation, and action.

For executives, detection performance correlates with time to awareness, a metric that directly impacts incident severity and operational impact.

Respond: Coordinated, Effective Actions Under Pressure

Response is where governance and preparedness visibly intersect with operational capability. CPG 2.0 expects organizations to not only have response plans but also exercise, refine, and coordinate them across functions.

Performance goals in this function emphasize:

Clear communication protocols that involve technical teams, legal, communications, and leadership.
Predefined decision rights for containment and remediation.
Processes that reduce confusion and accelerate effective action.

Organizations that routinely exercise response plans and capture lessons learned demonstrate resilience, reducing potential business impact and legal risk.

Recover: Restoration and Organizational Learning

Recovery often takes a back seat to preventive security efforts, but this is a critical mistake. An organization’s ability to recover from attacks is just as crucial as its prevention. CPG 2.0 elevates system recovery as a process tied to continuity and improvement, both of which are measurable. Recovery goals look beyond restoring systems to ensuring operations return to normal with minimal disruption, and lessons from the incident improve future resilience.

This means:

Validating restore processes and timelines.
Ensuring communication during recovery is aligned with stakeholder expectations.
Embedding learnings into future planning and investment decisions.

Operationalizing CPG 2.0 Without Turning It Into Another Checklist

The greatest risk of rote compliance is that it becomes a performance, a checklist, rather than a set of best practices. CPG 2.0 can avoid this trap only if leaders resist the urge to treat it as another mapping exercise.

Successful organizations will use CPG 2.0 as a strategic lens to evaluate whether cybersecurity aligns with the outcomes leadership actually cares about. This often involves integrating CPG concepts into enterprise risk management, budget planning, and board reporting rather than isolating them within security programs.

Successful organizations will learn from CPGs rather than view them as a ruleset. Furthermore, they’ll see these lessons as ones with outcomes. That is, the result isn’t “we implemented the right control,” but rather, “this control improves response times” or “this practice reduces incidents of data exposure.”

Rely on Foundational Best Practices with Lazarus Alliance

CPG 2.0 provides a language and structure for that conversation. It enables CISOs, CIOs, and compliance officers to move beyond defensive explanations toward proactive, performance-based narratives that resonate with executives.

To learn more about how Lazarus Alliance can help, contact us.

[wpforms id=”137574″]