Dec 15
/
Latest News
CISA Releases Updated Cybersecurity Performance Goals to Strengthen Critical Infrastructure
The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled version 2.0 of its Cross-Sector Cybersecurity Performance Goals (CPGs), a refreshed framework designed to help organizations embed cybersecurity into daily operations and counter evolving digital threats.
Announced Thursday, the updated guidance reflects three years of operational insights and incorporates best practices gathered from industry leaders, government officials, and cybersecurity experts. Acting CISA Director Madhu Gottumukkala emphasized the collaborative nature of the update, noting that the agency engaged with hundreds of stakeholders across both public and private sectors to ensure the goals address real-world challenges.
“Version 2.0 demonstrates our commitment to listening to and incorporating partner feedback to deliver practical, outcome-driven guidance that organizations can act on,” Gottumukkala said.
Key Updates in CPG 2.0
• Expanded Coverage: Strengthens guidance on account and device security, data protection, governance, vulnerability management, supply chain risk, and incident response.
• Leadership Role: Introduces a new section highlighting the importance of organizational leadership in cybersecurity strategy.
• Unified Goals: Consolidates operational and IT objectives into universal measures to eliminate silos.
• Emerging Threats: Adds new goals for third-party risk management, zero trust architecture, and incident communication.
• Framework Alignment: Fully aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0.
The release follows CISA’s 2024 Cybersecurity Performance Goals Adoption Report, which analyzed 7,791 critical infrastructure organizations enrolled in the agency’s vulnerability scanning service. Findings showed measurable improvements since the initial rollout of CPGs in 2022, including declines in known exploited vulnerabilities (KEVs) and Secure Sockets Layer (SSL) misconfigurations.
The updated CPGs apply across all critical infrastructure sectors, reinforcing CISA’s mission to provide actionable, outcome-driven guidance that adapts to the rapidly changing cyber threat landscape.
Announced Thursday, the updated guidance reflects three years of operational insights and incorporates best practices gathered from industry leaders, government officials, and cybersecurity experts. Acting CISA Director Madhu Gottumukkala emphasized the collaborative nature of the update, noting that the agency engaged with hundreds of stakeholders across both public and private sectors to ensure the goals address real-world challenges.
“Version 2.0 demonstrates our commitment to listening to and incorporating partner feedback to deliver practical, outcome-driven guidance that organizations can act on,” Gottumukkala said.
Key Updates in CPG 2.0
• Expanded Coverage: Strengthens guidance on account and device security, data protection, governance, vulnerability management, supply chain risk, and incident response.
• Leadership Role: Introduces a new section highlighting the importance of organizational leadership in cybersecurity strategy.
• Unified Goals: Consolidates operational and IT objectives into universal measures to eliminate silos.
• Emerging Threats: Adds new goals for third-party risk management, zero trust architecture, and incident communication.
• Framework Alignment: Fully aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0.
The release follows CISA’s 2024 Cybersecurity Performance Goals Adoption Report, which analyzed 7,791 critical infrastructure organizations enrolled in the agency’s vulnerability scanning service. Findings showed measurable improvements since the initial rollout of CPGs in 2022, including declines in known exploited vulnerabilities (KEVs) and Secure Sockets Layer (SSL) misconfigurations.
The updated CPGs apply across all critical infrastructure sectors, reinforcing CISA’s mission to provide actionable, outcome-driven guidance that adapts to the rapidly changing cyber threat landscape.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2025 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.