CISA Cross-Sector Cybersecurity Performance Goals for OT Systems
Key Takeaway
CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are a voluntary baseline of foundational practices for critical infrastructure, including OT and ICS environments. They are designed to be approachable and high-impact, covering areas like asset inventory, access control, network segmentation, and incident response — a practical starting point that complements deeper standards such as IEC 62443.
Quick Answer
CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) are a voluntary set of foundational cybersecurity practices for critical infrastructure owners and operators, including those running OT and ICS environments. They are intentionally approachable and prioritized for impact, covering practical areas such as asset inventory, access control, network segmentation, and incident response. They serve as a starting baseline that complements — rather than replaces — more detailed standards like IEC 62443.
What the CPGs Are — and Are Not
The CPGs were developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to give critical infrastructure owners a common, prioritized set of baseline practices. They are voluntary guidance, not a regulation, and they are deliberately written to be accessible to organizations that are not yet mature in their security programs. The intent is to identify a manageable set of high-value actions that meaningfully reduce risk, rather than to require a comprehensive program all at once.
Because the specific content and structure of the CPGs can be updated, owners should reference CISA's current published materials for the authoritative list and any OT-specific guidance, rather than relying on a fixed set of numbered requirements. CISA released CPG 2.0 on December 11, 2025, which aligns the goals with the latest NIST Cybersecurity Framework and adds a governance component covering accountability and risk management — so confirm which version you are working from.
Why the CPGs Matter for OT
OT and ICS environments are squarely within scope of critical infrastructure protection, and the CPGs explicitly recognize the importance of operational technology. For an organization that finds a full standard like IEC 62443 daunting, the CPGs offer an on-ramp: a prioritized list of practices that builds momentum and demonstrates measurable progress. They are also useful as a common language between leadership, IT, and OT teams when discussing where to invest.
The Kinds of Practices the CPGs Emphasize
While the exact items should be confirmed against CISA's current publications, the goals broadly emphasize foundational practices that map well onto OT security, including:
- Asset inventory and management — knowing what hardware and software is in the environment, a prerequisite the OT cybersecurity guide also stresses.
- Account and access security — strong authentication, multi-factor where feasible, and removing default or unused credentials.
- Network segmentation — separating OT from IT to limit how far an intrusion can spread, the focus of our Purdue Model guide.
- Vulnerability and patch management — addressing known weaknesses in a risk-based, tested way.
- Detection and incident response — the ability to detect events and respond with a plan suited to operational environments.
- Backup and recovery — maintaining the ability to restore systems, a key defense against ransomware.
How to Use the CPGs
A practical approach is to treat the CPGs as a self-assessment checklist: review each goal, honestly rate how well the organization meets it today, and build a prioritized improvement plan from the gaps. Because the goals are prioritized for impact, this tends to surface a short list of high-value actions quickly — an attractive property for organizations with limited security resources.
For organizations on a longer journey, the CPGs work hand in hand with IEC 62443: use the CPGs to establish and demonstrate a strong baseline, then mature into the more comprehensive zone-and-conduit and security-level work that IEC 62443 enables.
Turning Guidance Into Engineering
Meeting baseline goals such as segmentation, access control, and recovery ultimately requires changes to the control systems and networks themselves. NFM Consulting helps owners translate frameworks like the CPGs into concrete improvements through our SCADA and control system engineering. Contact NFM Consulting to map your environment against a recognized baseline.
Frequently Asked Questions
The Cross-Sector Cybersecurity Performance Goals (CPGs) are a voluntary set of foundational, prioritized cybersecurity practices published by CISA for critical infrastructure owners and operators, including OT and ICS environments. They are designed to be approachable and high-impact, covering areas such as asset inventory, access control, network segmentation, vulnerability management, incident response, and backup. They are guidance rather than regulation.
No. The CPGs are voluntary guidance, not a regulation. They are intended to give critical infrastructure owners a common, prioritized baseline of high-value practices that reduce risk, especially for organizations that are early in their security journey. Because the content can be updated, operators should consult CISA's current published materials for the authoritative list rather than relying on a fixed set of numbered requirements.
The CPGs and IEC 62443 are complementary. The CPGs offer a voluntary, approachable baseline of foundational practices that helps an organization make measurable early progress. IEC 62443 is a detailed international standard for industrial control system security built around zones, conduits, and security levels. Many owners use the CPGs to establish a strong baseline, then mature into the deeper, more comprehensive work that IEC 62443 defines.