CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0
CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risk to critical infrastructure operations. Aligned with the NIST Cybersecurity Framework, CPGs provide a common set of protections that all critical infrastructure owners and operators can implement.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (14)
Account Security
| Code | Title |
|---|---|
| CPG-1.A | Changing Default Passwords |
| CPG-1.B | Minimum Password Strength |
| CPG-1.C | Unique Credentials |
| CPG-1.D | Revoking Credentials for Departing Employees |
| CPG-1.E | Separating User and Privileged Accounts |
| CPG-1.F | Phishing-Resistant MFA |
Account Security
Identity and access management, MFA, and credential protection
| Code | Title |
|---|---|
| CPG-1.A | Changing Default Passwords |
| CPG-1.B | Minimum Password Strength |
| CPG-1.C | Unique Credentials |
| CPG-1.D | Revoking Credentials for Departing Employees |
| CPG-1.E | Separating User and Privileged Accounts |
| CPG-1.F | Phishing-Resistant MFA |
Data Security
| Code | Title |
|---|---|
| CPG-3.A | Log Collection |
| CPG-3.B | Secure Log Storage |
| CPG-3.C | Strong and Agile Encryption |
| CPG-3.D | Secure Sensitive Data |
Data Security
Data protection, encryption, and information handling
| Code | Title |
|---|---|
| CPG-3.A | Log Collection |
| CPG-3.B | Secure Log Storage |
| CPG-3.C | Strong and Agile Encryption |
| CPG-3.D | Secure Sensitive Data |
Device Security
| Code | Title |
|---|---|
| CPG-2.A | Asset Inventory |
| CPG-2.B | Prohibit Connection of Unauthorized Devices |
| CPG-2.C | Hardware and Software Approval Process |
| CPG-2.D | Disable Macros by Default |
| CPG-2.E | Document Device Configurations |
| CPG-2.F | No Exploitable Services on the Internet |
| CPG-2.G | Limit OT Connections to Public Internet |
| CPG-2.H | Document Network Topology |
Device Security
Asset management, endpoint protection, and secure configuration
| Code | Title |
|---|---|
| CPG-2.A | Asset Inventory |
| CPG-2.B | Prohibit Connection of Unauthorized Devices |
| CPG-2.C | Hardware and Software Approval Process |
| CPG-2.D | Disable Macros by Default |
| CPG-2.E | Document Device Configurations |
| CPG-2.F | No Exploitable Services on the Internet |
| CPG-2.G | Limit OT Connections to Public Internet |
| CPG-2.H | Document Network Topology |
Governance & Training
| Code | Title |
|---|---|
| CPG-4.A | Organizational Cybersecurity Leadership |
| CPG-4.B | OT Cybersecurity Leadership |
| CPG-4.C | Basic Cybersecurity Training |
Governance and Training
Leadership accountability, cyber risk management, and workforce training
| Code | Title |
|---|---|
| CPG-4.A | Organizational Cybersecurity Leadership |
| CPG-4.B | OT Cybersecurity Leadership |
| CPG-4.C | Basic Cybersecurity Training |
| CPG-4.D | OT-Specific Cybersecurity Training |
Network Segmentation
Network architecture, segmentation, and email security
| Code | Title |
|---|---|
| CPG-8.A | Network Segmentation |
| CPG-8.B | Email Security (DMARC) |
| CPG-8.C | Encrypted DNS |
Response & Recovery
| Code | Title |
|---|---|
| CPG-7.A | Incident Reporting |
| CPG-7.B | Incident Response Plans |
| CPG-7.C | System Backups |
| CPG-7.D | Incident Response Testing |
Supply Chain
| Code | Title |
|---|---|
| CPG-6.A | Vendor and Supplier Incident Reporting |
Supply Chain and Third Party
Supply chain risk management and vendor security
| Code | Title |
|---|---|
| CPG-6.A | Vendor and Supplier Incident Reporting |
| CPG-6.B | Supply Chain Incident Reporting |
Vulnerability Management
| Code | Title |
|---|---|
| CPG-5.A | Vulnerability Disclosure Program |
| CPG-5.B | Mitigating Known Vulnerabilities |
| CPG-5.C | No Exploitable Services on the Internet |
| CPG-5.D | Vulnerability Disclosure Program |
Vulnerability Management
Vulnerability discovery, patching, and known exploited vulnerability remediation
| Code | Title |
|---|---|
| CPG-5.A | Vulnerability Disclosure Program |
| CPG-5.B | Mitigating Known Vulnerabilities |
| CPG-5.C | No Exploitable Services on the Internet |
| CPG-5.D | Vulnerability Disclosure Program |
Your Compliance Coverage
If you comply with CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0, you already cover:
AWS Well-Architected Security Pillar
40%
14 controls mapped
Compare →Azure Security Benchmark
40%
14 controls mapped
Compare →ASD Strategies to Mitigate Cyber Security Incidents
37%
13 controls mapped
Compare →+ 279 more: NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI) (37%), AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association) (37%)
See all 282 mapped frameworks ↓Maps to 282 other frameworks
Frequently Asked Questions
What is CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0?
CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 is a compliance framework from United States with 14 domains and 56 controls. CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risk to critical infrastructure operations. Aligned with the NIST Cybersecurity Framework, CPGs provide a common set of protections that all critical infrastructure owners and operators can implement. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 have?
CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 has 56 controls organised across 14 domains. The largest domains are Device Security (8 controls), Account Security (6 controls), Account Security (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 map to?
CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 maps to 282 other compliance frameworks. The top mapping partners are AWS Well-Architected Security Pillar (40% coverage), Azure Security Benchmark (40% coverage), ASD Strategies to Mitigate Cyber Security Incidents (37% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 compliance?
Start your CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 56 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.
Get Started Free →Free forever — no credit card required