Full Report
Ashden Fein, Caleb Skeath, John Webster Leslie, and Krissy Chapman of Covington and Burling write: On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released its Cybersecurity Performance Goals 2.0 (“CPG 2.0”), an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, which we previously wrote about here. Established by the... Source
Analysis Summary
# Regulation/Compliance: CISA Cybersecurity Performance Goals 2.0 (CPG 2.0)
## Overview
The Cybersecurity Performance Goals 2.0 (CPG 2.0) is an updated, core set of recommended cybersecurity practices issued by CISA. These goals are designed to establish a baseline understanding of essential security practices for critical infrastructure owners and operators, aiming to reduce risk from known, high-impact cyber threats. CPG 2.0 applies to both Information Technology (IT) and Operational Technology (OT) environments.
## Key Details
- Issuing Authority: U.S. Cybersecurity and Infrastructure Security Agency (CISA)
- Effective Date: Released December 11, 2025
- Jurisdiction: United States; specifically targeting Critical Infrastructure owners and operators, including government and defense contractors.
- Status: Final (Released document)
## Requirements
### Mandatory Requirements
**None.** The document explicitly states that the CPGs are **voluntary**.
### Recommended Practices
1. **Establish Baseline Security:** Adopt the established outcome-driven cybersecurity goals to define a minimum acceptable security posture against high-impact threats.
2. **Integrate IT/OT Security:** Apply the goals across both information technology (IT) and operational technology (OT) environments.
3. **Align with NIST CSF 2.0:** Use the CPG 2.0 framework to inform and build out a broader cybersecurity program based on the structure and latest revisions of NIST CSF 2.0.
4. **Address Current Threats:** Implement practices designed to reduce risk related to the most common and significant threats facing critical infrastructure based on CISA's operational data and threat research.
## Affected Organizations
- Industries: Critical infrastructure owners and operators.
- Organization Size: Not specified, implied to cover all entities within critical infrastructure sectors.
- Geographic Scope: United States.
## Compliance Timeline
- **December 11, 2025:** CPG 2.0 was released to the public.
- **Ongoing:** As these are voluntary goals established under the 2021 National Security Memorandum, organizations should integrate these updated recommendations into their continuous improvement cycles immediately.
- **Final deadline:** No formal final deadline (Voluntary).
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Assess current cybersecurity practices against the CPG 2.0 goals, noting where current security controls fall short of the desired outcomes.
- **Threat Profile Review:** Evaluate current posture against the known, high-impact cyber threats and adversarial TTPs that CPG 2.0 is designed to address.
### Implementation Phase
- **Prioritize Outcomes:** Focus implementation efforts on achieving the defined security outcomes rather than strictly mapping to prescriptive subcategories.
- **System Integration:** Ensure that the application of CPG 2.0 addresses controls across both IT and OT domains simultaneously.
### Validation Phase
- **Framework Mapping:** Verify how the implemented controls align with the core Functions of NIST CSF 2.0 (Identify, Protect, Detect, Respond, Recover, Govern).
## Technical Requirements
Specific technical controls are not detailed directly in the summary, but the goals are designed to enforce high-level security outcomes that inherently require robust technical controls across areas like asset management, access control, continuous monitoring, and incident response planning for both IT and OT systems.
## Penalties & Enforcement
- Fines: **No explicit penalties are mentioned** as the guidelines are voluntary.
- Other Consequences: Failure to adopt best practices, especially for government or defense contractors, could lead to potential contract non-compliance issues or regulatory scrutiny stemming from underpinning authorities (like the 2021 National Security Memorandum).
- Enforcement: Enforcement mechanisms are not directly detailed for the CPGs themselves, as they are recommendations, but adherence may become *de facto* mandatory if incorporated into future contractual obligations or sector-specific regulations.
## Related Standards
- **NIST Cybersecurity Framework (CSF) 2.0:** CPG 2.0 is explicitly aligned with NIST CSF 2.0, reflecting updates to its core Functions (Identify, Protect, Detect, Respond, Recover, and Govern).
- **Underpinning Authority:** The **2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems**.
## Resources
- Official Documentation: CISA Cybersecurity Performance Goals 2.0 (CPG 2.0) Report (Referenced link: cisa.gov/sites/default/files/2025-12/CPG_Report_2.0_508c.pdf)
- Guidance Documents: CISA documentation on the underpinning National Security Memorandum.
- Tools: Organizations should use their established compliance tools to measure progress against the goals established in CSF 2.0.
## Practical Recommendations
1. **Review and Map:** Immediately review your current cybersecurity program against the objectives outlined in CPG 2.0.
2. **Adopt/Incorporate:** Treat the CPG 2.0 goals as the definitive current best practice baseline for risk reduction, even if voluntary, and incorporate them formally into security roadmaps.
3. **Focus on CSF 2.0 Integration:** Use the CPG 2.0 release as an opportunity to update any existing security program based on the newest NIST CSF 2.0 structure (especially the addition of the Govern Function).
4. **Engage IT/OT Teams:** Ensure that coverage for these goals extends comprehensively across both information and operational technology environments.