The Cybersecurity and Infrastructure Security Agency has released version 2.0 of its Cross-Sector Cybersecurity Performance Goals, or CPGs, an updated guidance for integrating cybersecurity within an organization’s daily operations.
The Potomac Officers Club’s 2026 Cyber Summit on May 21 will bring together cybersecurity experts from across government and industry to discuss some of the most pressing cyber issues and opportunities today. Get your tickets here.
CISA said Thursday that the document reflects three years of operational insights and contains best practices collected from industry and government leaders and cybersecurity experts.
“Over the past year, CISA has engaged extensively with hundreds of stakeholders across both the public and private sectors to ensure the updated goals reflect real-world challenges and operational realities,” Acting CISA Director Madhu Gottumukkala stated. “Version 2.0 demonstrates our commitment to listening to and incorporating partner feedback to deliver practical, outcome-driven guidance that organizations can act on.”
The Cross-Sector CPGs align with the National Institute of Standards and Technology Cybersecurity Framework 2.0.
Table of Contents
What Is the CPG Version 2.0?
The updated goals expand the agency’s current guidance on account and device security, data protection, governance, vulnerability management, supply chain risk, and incident response and recovery.
The Cross-Sector CPG 2.0 introduces a section on the role of organizational leadership. CISA also consolidated operational and information technology into universal goals and added measures addressing emerging threats to eliminate silos in the new guidance.
The document also adds new goals for third-party risk, zero trust architecture and incident communication.
According to Gottumukkala, the CPGs apply to all critical infrastructure sectors.
Are CISA’s Cross-Sector CPGs Effective?
The updated guidance comes almost a year after CISA published its Cybersecurity Performance Goals Adoption Report. The agency found that, based on its analysis of 7,791 critical infrastructure organizations enrolled in its vulnerability scanning service, cybersecurity has improved in the sector since the implementation of CPG in 2022.
The report found a decline in known exploited vulnerabilities, or KEVs, and Secure Sockets Layer misconfigurations.
Related Articles
President Donald Trump has signed an executive order directing the attorney general to establish an artificial intelligence litigation task force to challenge state AI laws deemed “unconstitutional, preempted, or otherwise unlawful,” which could potentially hinder innovation. Explore innovative AI use cases and connect with GovCon leaders at the Potomac Officers Club’s 2026 Artificial Intelligence Summit on March 19. Reserve your seat today to be part of this transformative conversation. What Are the Key Provisions of Trump’s New Executive Order on AI? Under the new EO, the secretary of commerce will evaluate state AI laws for conflicts with national policy priorities
Secretary of the Air Force Troy Meink highlighted major changes in the Department of the Air Force’s acquisition process during his keynote speech Thursday at the Spacepower 2025 Conference, the U.S. Space Force reported. What Are Troy Meink’s Thoughts on Portfolio Acquisition Executives? One of the structural changes Meink cited is the shift from program executive officers to portfolio acquisition executives, or PAEs, to speed up the decision-making process and provide leaders with clearer authority. “We’re moving from the old program executive officer model to portfolio acquisition executives, and the whole focus is making sure our people are empowered to
The National Security Agency has issued a Cybersecurity Information Sheet detailing how organizations can address configuration challenges associated with Unified Extensible Firmware Interface—a.k.a. UEFI—Secure Boot. The agency said Thursday that the guidance provides system owners with instructions on how to verify Secure Boot settings and detect or recover from misconfigurations. Cyber has become a principal battlefield in global conflict and American systems are being targeted. Join the Potomac Officers Club’s 2026 Cyber Summit on May 21 to gain a better understanding of cyber from global adversaries and near-peer nations and get updates to ongoing and future cyber initiatives across the