Cybersecurity Performance Goals 2.0: Governance First, Outcomes Always
By Patrick Miller
CISA’s Cybersecurity Performance Goals 2.0 reshape baseline expectations for critical infrastructure. The update elevates governance, strengthens OT-specific requirements, and shifts from checklist controls to outcome-driven resilience. This Policy Pulse post breaks down what changed, why it matters, and how operators should prepare.
Overview
On December 11, 2025, CISA released Cybersecurity Performance Goals 2.0 (CPG 2.0), a substantial update that reframes how critical infrastructure organizations should think about baseline cybersecurity maturity. The original CPGs introduced a common, cross-sector set of controls. Version 2.0 is not simply an iteration. It is an architectural shift, from a checklist of discrete mitigations to a structured, outcome-oriented approach aligned with today’s threats and the newest revision of the NIST Cybersecurity Framework (CSF).
For critical infrastructure owners and operators, especially those with complex OT/ICS environments, CPG 2.0 delivers something the first version didn’t: a governance-anchored foundation that ties technical execution to enterprise-level accountability, risk management, and operational resilience.
The Most Significant Change: Governance Moves to the Front
In CPG v1, governance appeared deep within the controls list, often framed as a supporting activity. In CPG 2.0, governance is the first of six core functions, and it sets the tone for everything that follows.
CISA’s message is clear: the success of technical controls depends on the maturity of organizational governance.
New governance expectations include:
Defined cybersecurity roles and authorities, including third-party coordination.
Cybersecurity risk management strategy, reviewed and updated annually.
Regularly exercised incident response plans, not just documented ones.
Supply chain incident and vulnerability disclosure requirements in SLAs.
Management of risks from Managed Service Providers (MSPs).
For OT operators, governance now explicitly requires continuous collaboration between IT and OT teams. This sets a higher bar than v1, which only required identifying accountable individuals.
Identify: Moving From Lists to Living Programs
CPG v1 emphasized regular inventories, monthly updates, and basic vulnerability management.
CPG 2.0 takes a more active posture:
Asset inventories are continuously maintained, with increased frequency for mission-critical IT and OT assets.
Vulnerability management requires both patching and compensating controls, especially when OT assets cannot be updated without safety or availability concerns.
Independent validation of cybersecurity controls, through penetration tests, red/purple team exercises, or simulations, is now an expected outcome, not a maturity bonus.
Notably, 2.0 introduces formal vulnerability disclosure processes for all public-facing assets, including safe-harbor protections for researchers.
Protect: Strengthening Access, Segmentation, and Configuration Discipline
Many familiar themes from CPG v1 remain: strong passwords, MFA, change management, and controlling executable content.
But CPG 2.0 raises expectations in several areas:
Credential Hygiene
System-enforced minimum password lengths (16+ characters)
Unique credentials across IT and OT networks
Administrative separation of user and privileged accounts
Organization-wide requirement to change all default credentials prior to deployment
OT-Aware Network Segmentation
Version 2.0 makes segmentation foundational, including:
Physical segmentation where feasible
Restricting east-west and north-south communications to only what is strictly required
Prohibiting exposure of network management interfaces to the public internet
These expectations reflect lessons learned from ransomware campaigns, Volt Typhoon, and exploitation of remote services.
Configuration and Change Management
CPG 2.0 emphasizes secure change control, configuration discipline, and prior testing in non-production environments, areas only lightly represented in v1.
Logging and Monitoring
CPG 2.0 enhances log expectations by requiring:
Centralized log storage
Alerts when logging is disabled
OT-specific accommodations (network traffic collection where device logs do not exist)
Detect: Blending Signature and Behavioral Detection
CPG 2.0 acknowledges the reality that signature-only detection is insufficient.
Outcome-based detection requires:
Antivirus or malicious-code detection using both signature-based and behavioral techniques
Automated analysis of event data
OT-specific testing to ensure detection tools do not impair system performance
This aligns strongly with current adversary tradecraft, which increasingly relies on living-off-the-land behavior.
Respond: Communication, Coordination, and Reporting Expectations Rise
Where v1 focused on having an incident response plan, CPG 2.0 focuses on executing, communicating, and coordinating during incidents:
Defined communication plans for internal and external stakeholders
Secure information sharing
Timely reporting of incidents to regulators, SRMAs, ISACs/ISAOs, and CISA itself
Role-specific training for analysts and responders
CPG 2.0 brings IR expectations closer to federal incident reporting frameworks and the [potentially] upcoming CIRCIA rule.
Recover: Degraded-Mode Operations and Post-Incident Learning
CPG 2.0 requires organizations to:
Execute recovery plans that maintain mission-critical functions even in degraded states
Validate backup integrity before restoration
Conduct post-incident reviews and update policies accordingly
The inclusion of manual, radio-based, or paper-based fallback operations reflects a mature view of real-world operational resilience.
OT-Specific Comparison: CPG v1 vs. CPG 2.0
Below is a comparison of how OT expectations evolved from CPG v1 (controls-based) to CPG 2.0 (outcome-oriented).
| Topic | CPG v1 OT Expectation | CPG 2.0 OT Expectation | Impact on Critical Infrastructure Operators |
|---|---|---|---|
| Governance & Accountability | Named cybersecurity and OT-specific accountable individuals. | Full governance framework; cross-functional IT/OT collaboration; documented policies reviewed annually. | Higher maturity threshold; governance becomes prerequisite to technical success. |
| Asset Inventory | Monthly IP-based inventory updates. | Continuously maintained inventory; increased frequency for critical OT assets. | Improves availability, response, and INSM alignment; requires more automation. |
| Vulnerability Management | Patch KEVs or apply compensating controls. | Documented compensating controls for unpatchable OT, with risk tracking and response monitoring. | More realistic for legacy OT; requires formalized risk registers and decision documentation. |
| Network Topology | Maintain baseline network and OT configuration documentation. | Accurate, annually reviewed topology with changes reflected immediately. | Better incident response and containment; aligns with modern SOC requirements. |
| Segmentation | Segment IT/OT with firewalls and monitored connections. | Logical and physical segmentation; data diodes where feasible; strict controls on remote access. | More rigorous boundaries; reduces lateral movement risks seen in major incidents. |
| Logging & Monitoring | Capture and secure logs relevant to security incidents. | Centralized logging; alerts when logging is disabled; network traffic collection for devices lacking logs. | Improves OT visibility; supports threat hunting and forensic analysis. |
| Incident Response | Maintain and drill IR plans. | Realistic exercises; OT-specific safety considerations; defined communications plans. | Aligns IR programs with sector reporting expectations and modern threat behaviors. |
| Backups & Restoration | Regular backups stored separately; include OT configs and logic. | Integrity validation before restoration; recurring testing; readiness for degraded operations. | More resilient recovery posture; aligns with ransomware and disruption scenarios. |
What CPG 2.0 Signals for 2026 and Beyond
The shift from controls to outcomes reflects how cybersecurity is evolving across sectors:
Governance is becoming the central organizing function.
OT-specific guidance is no longer optional or implied, it is explicitly integrated.
Technical controls alone are insufficient without accountability and cross-functional alignment.
Resilience means maintaining operations even in degraded or isolated modes.
Organizations that adopt the CPG 2.0 outcomes model early will be better positioned to meet upcoming regulatory expectations, improve audit readiness, and reduce operational risk.
Conclusion
CPG 2.0 signals a meaningful shift in how the federal government defines baseline cybersecurity for critical infrastructure. By placing governance at the center, CISA reframes cybersecurity as an enterprise function that requires leadership accountability, clearer decision pathways, and sustained coordination across IT, OT, and operational teams. This structure reflects the realities facing operators today, where resilience depends as much on governance maturity as on technical controls.
For organizations with OT and ICS environments, the update brings long-needed clarity. OT considerations are now more integrated across all goal areas, from vulnerability management and logging expectations to incident response, segmentation, and recovery. CISA’s emphasis on compensating controls, accurate topology documentation, and the ability to operate safely in degraded conditions aligns closely with the threats and operational challenges critical infrastructure owners regularly encounter.
By shifting from a checklist of controls to outcome-oriented expectations, CPG 2.0 aligns with the broader regulatory trend toward measurable risk reduction and operational resilience. It is not a compliance mandate, nor a comprehensive framework, but it captures a set of high-impact practices that consistently matter across sectors. For owners and operators seeking to strengthen their security posture and prepare for emerging regulatory expectations, CPG 2.0 offers a practical, focused foundation for building both security and resilience into day-to-day operations.
