What are the CISA Cybersecurity Performance Goals?

What are the CISA Cybersecurity Performance Goals?

Over the years, large enterprises, small businesses, and government organizations have experienced unprecedented cyberattacks, regardless of the security measure and amount spent setting up a mature cyber defense.

Statista records that in 2022, 70% of the respondents globally reported that cyber attackers threatened their company. Given these challenges, the Cybersecurity and Infrastructure Security Agency (CISA) developed cross-sector Cybersecurity Performance Goals (CPGs). The CPGs provide an approachable standard set of Operational Technology (OT) and IT cybersecurity protections that are clearly stated, implementable, and aimed at addressing common cyberattacks.

The CPGs were released in response to the American President, Joe Biden’s National Security memorandum to improve cybersecurity for infrastructure control systems. They have since then served as baseline cybersecurity practices. Read on to learn more about these goals and how effectively they have addressed the challenges.

What are CISA Cybersecurity Performance Goals?

The Cybersecurity Performance Goals are a high-priority component of IT and OT cybersecurity practices aimed at meaningfully reducing risks to CI operations. These goals are relevant across all CI sectors. They are prompted by the common threats and adversary Tactics Techniques and Procedures (TTP) observed by CISA, its government, and industry partners, making them a standard set of protections that all CI entities, large and small, should incorporate.

These goals are typically intended to help small and medium enterprises to be strong in pursuing cybersecurity.

Key Characteristics of CPGs

  • They are standard for measuring and improving critical infrastructure operators’ cybersecurity maturity.
  • They are recommended practices for IT and OT owners, including a high-priority security technique set.
  • A foundational and prioritized set of cybersecurity practices
  • They are applicable across critical infrastructure sectors and have proven risk-reduction value.
  • They are targeted at reducing risks to the CI operation

Categories of the Cyber Security Performance Goals

The CISA Cybersecurity Performance Goals are based on the most significant threats and adversary tactics, techniques, and procedures identified by CISA and its partners in government and industry. The CPGs are categorized into eight domains as follows:

Account Security

The account security goal refers to the process of defending an individual’s or organization’s login credentials and online accounts against fraudulent usage or access by unauthorized third parties. Some benefits that will result from achieving this goal include:

  • When a user has unique credentials, it is impossible for fraudsters to compromise their login data and travel freely across networks.
  • By keeping user accounts and privileged accounts distinct from one another, it is more difficult for cybercriminals to access administrative accounts.
  • Accounts whose login data have been hacked can still be safeguarded thanks to Multi-Factor Authentication’s additional levels of protection.
  • A company can protect itself against former workers who could pose a security risk by revoking their credentials immediately after they leave the company.
  • Protecting a company against credential-based threats requires monitoring for failed automated login attempts.
  • Assigning a minimal password strength makes it more difficult for cybercriminals to crack an organization’s credentials.

Device security

In order to accomplish this goal, there is a need to take the necessary precautions to prevent unauthorized access to critical systems and data, as well as to lower the likelihood of cyberattacks and data breaches. The following are additional features of this CPG:

  • The clearance procedure for hardware and software will improve technological transparency and lessen the risk of security incidents caused by unauthorized software or hardware installations.
  • Macros and other comparable executable scripts and adversary TTP are less of a threat when they are turned off by default.
  • A thorough asset inventory will reveal which assets are currently being handled, which are unknown, and which are not being tracked at all. New security flaws will be discovered and patched immediately.
  • Disabling Macros by default reduces the risk from macro and similar executable codes and adversary TTP.
  • If criminals can’t hook up their own devices, that’s a good sign that you’re serious about keeping them out.

Data Security

Protecting private and sensitive information from prying eyes is a primary reason for prioritizing data security. The aim of this goal is to lower the likelihood of data breaches and other cybersecurity incidents in the following ways:

  • Organizational security records are safeguarded against intrusion using secure log storage.
  • Log collection will help achieve enhanced visibility to detect and respond to cyber-attacks.
  • Data confidentiality and OT/IT traffic integrity will be preserved thanks to the use of flexible and powerful encryption.
  • Sensitive data will be safe from intrusion if it is stored securely.
  • If you want better insight into cyberattacks and a chance to respond to them, log gathering is a good place to start.

Governance and Training

Good governance and training assist employees to understand their responsibilities in securing an organization’s systems and data. This goal functions as follows:

  • Users and workers will be able to understand and apply security features if they receive basic cybersecurity training.
  • It makes it easier to hold leaders responsible for the company’s cybersecurity 
  • In order to better defend against and respond to cyber threats in Operational Technology (OT), it is important to strengthen the connections between IT and OT cybersecurity.
  • An individual will be held responsible for the cyber security of the organization’s OT systems through the implementation of OT cybersecurity leadership.

Vulnerability Management

One of the CISA cybersecurity performance goals is to adopt effective vulnerability management, which allows for the detection, evaluation, remediation, and reporting of vulnerabilities in an organization’s software and systems. Positive outcomes that can be expected from achieving this goal are:

  • The reporting and disclosure of vulnerabilities provide businesses with crucial information about the weaknesses in their infrastructure.
  • Attacks against OT assets on the public internet can be mitigated by restricting the number of OT devices that can connect to the internet.
  • The risk of a network being exploited and compromised is reduced when known vulnerabilities are patched.
  • Cybersecurity controls are proven effective and vulnerable technologies are pinpointed by an independent verifier.

Supply Chain/ Third Party

With this CISA cybersecurity performance goal, businesses may help lessen the likelihood of cyberattacks and data breaches stemming from weaknesses in the infrastructure of their vendors and other third parties. It may also aid in keeping internal systems and data secure, private, and readily accessible. The intended results are as follows:

  • If businesses report incidents that occur in their supply chains, they may become aware of security issues with all of their suppliers and partners and take appropriate action.
  • Cybersecurity standards help lessen potential dangers while getting more secure services and products from vendors. 
  • Disclosure of supply chain flaws helps businesses spot and fix security flaws in third-party products and services.

Response And Recovery

It is important to have a plan in place for handling and recovering from cyber disasters including data breaches, virus assaults, and other forms of online intrusion.

Methods for responding to and recovering from incidents include: reporting incidents; creating incident response (IR) plans; backing up systems; and documenting the network’s topology.

  • Organizations can better respond to attacks and keep operations running smoothly if they keep track of their network architecture.
  • System backups lessen the possibility of time spent recovering from data and operation loss.
  • Reporting occurrences allows CISA and others to better prepare for and respond to attacks


Some other Cyber Security Performance Goals include:

  • Network Segmentation.
  • Detecting relevant Threats and TTP.
  • Email Security.

Would You Like to Implement the Cybersecurity Performance Goals?

Our IT professionals are well-versed in the best practices for implementing strong cybersecurity measures in any size organization. Give us a call at (920) 256-1214 or visit our website to get in touch.