CISA’s Cross-Sector Cybersecurity Performance Goals (CPG) 2.0 update establishes a streamlined set of voluntary security practices that provide a measurable baseline for improving cyber resilience across both IT and operational technology (OT) environments. The framework aligns with the NIST Cybersecurity Framework 2.0 and incorporates lessons learned from real-world threats and extensive engagement with industry and government stakeholders to ensure practical applicability. It consolidates and harmonizes cybersecurity objectives across critical infrastructure sectors, breaking down traditional silos between IT and OT and emphasizing foundational outcomes that organizations can implement to strengthen core defensive capabilities.

A notable enhancement in CPG 2.0 is the inclusion of governance and leadership accountability, underscoring the role of organizational leadership in integrating cybersecurity into everyday operations and risk management practices. The updated goals also address key areas such as supply chain risk management, zero-trust architecture, incident response, and communication, broadening the scope of protection while still focusing on high-impact actions that deliver measurable risk reduction. By prioritizing these foundational practices, CISA aims to help critical infrastructure operators benchmark progress, guide investment decisions, and reduce exposure to emerging cyber threats in a consistent, outcome-oriented manner.

‍

Source: https://industrialcyber.co/cisa/cisas-updated-cpg-2-0-framework-guides-it-and-ot-environments-targets-foundational-cyber-resilience/