TL;DR
CISA released Cybersecurity Performance Goals 2.0 (CPG 2.0) in December 2025. The most significant update to cross-sector cybersecurity baseline guidance since the original CPGs were published. CPG 2.0 aligns with NIST CSF 2.0, consolidates IT, and OT requirements into unified goals, and introduces new controls targeting zero-trust architecture and third-party provider risk. For critical infrastructure operators, this means a redefined compliance and operational security imperative.
In December 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released version 2.0 of its Cross-Sector Cybersecurity Performance Goals (CPG 2.0). The update reflects a threat landscape that has accelerated significantly since the original CPGs were published: nation-state actors, ransomware targeting operational technology (OT), and systemic supply chain compromises are now among the most consequential risks facing critical infrastructure sectors, including energy, water, transportation, communications, and financial services.
CPG 2.0 is not a new regulation, but it represents the clearest signal yet of where regulators and sector-specific agencies expect organizations to be. For operators already navigating frameworks such as NIST CSF, TSA cybersecurity directives, and EPA requirements, CPG 2.0 is a practical consolidation of what "good" looks like across all of them.
As CISA itself notes, the CPGs are intended as a floor, not a ceiling. A minimum baseline that every critical infrastructure organization should be able to demonstrate.
What's new in CPG 2.0: Key changes at a glance
CPG 2.0 introduces restructured requirements for critical infrastructure organizations:
Unified IT and OT goals
One of the most operationally significant changes in CPG 2.0 is the consolidation of previously separate IT, IoT, and OT goals into unified "universal goals". This change directly addresses a common failure mode: organizations treating their industrial control systems (ICS) and operational environments as cybersecurity edge cases rather than core compliance obligations.
For organizations managing both corporate IT networks, IoT devices and OT environments (power grids, water treatment systems, manufacturing lines), this means a single framework now applies across both domains, reducing confusion and closing the governance gap that many legacy Governance, Risk, and Compliance (GRC) platforms cannot bridge.
Four new goals for emerging threats
CPG 2.0 introduces four new goals that reflect threats that have become impossible to ignore:
- Third-party provider risk (1.E) — Specifically targeting managed service providers (MSPs) and vendors with deep system access
- Least-privilege enforcement (3.H) — Advancing zero-trust principles to limit lateral movement once an attacker is inside the network
- Proactive program management (1.B) — Building on governance requirements to ensure leaders adapt strategies in response to evolving threats
- Incident communication procedures (5.A) — Establishing clear communication channels with internal teams, partners, and suppliers during a crisis
Alignment with NIST CSF 2.0
CPG 2.0 is fully mapped to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 functions. (Govern, Identify, Protect, Detect, Respond, and Recover) This mapping makes it significantly easier for organizations that already report against NIST CSF to identify where CPG 2.0 introduces new or tightened requirements.
Prioritization guidance
Each CPG 2.0 goal now includes Cost, Impact, and Ease of Implementation ratings. This is a meaningful addition for resource-constrained operators and gives security and compliance teams a practical basis for sequencing implementation and communicating priorities to leadership.
7 high-priority cybersecurity practices from CPG 2.0
🔒 These are high-priority baseline actions drawn from CPG 2.0, each with demonstrated risk-reduction value across critical infrastructure sectors.
| Practice | What it requires | NIST CSF 2.0 function |
|---|---|---|
| 1. Phishing-resistant multi-factor authentication (MFA) | Implement MFA on all internet-facing systems, privileged accounts, and remote access. FIDO2/hardware token-based MFA is the standard. SMS or email codes no longer meet the baseline. | Protect |
| 2. Asset inventory and management | Maintain a current, accurate inventory of all IT and OT assets. You cannot protect what you cannot see, and regulators expect you to demonstrate visibility across both IT and OT environments. | Identify |
| 3. Vulnerability management and patching | Establish a risk-prioritised patching programme. For OT environments where live patching is not feasible, document compensating controls. CPG 2.0 explicitly acknowledges OT patching constraints. | Protect |
| 4. Network segmentation and zero-trust controls | Implement network segmentation between IT and OT environments. Apply least-privilege enforcement to limit lateral movement. CPG 2.0 introduces goal 3.H, which advances zero-trust principles, though CISA notes that "implement zero trust" as a broad practice remains outside the CPG baseline given implementation complexity for smaller organisations. | Protect |
| 5. Third-party and supply chain risk management | Assess and manage cybersecurity risks from vendors, MSPs, and third parties with privileged or deep system access. CPG 2.0 explicitly calls out MSPs as a systemic risk vector. Operators must have documented processes for vetting, monitoring, and responding to third-party incidents. | Govern / Identify |
| 6. Incident detection and response capability | CPG 2.0 also introduces a new goal (5.A) for incident communication procedures, ensuring organisations have defined channels with internal teams, partners, and suppliers when incidents occur, not just the technical capability to detect them. | Detect / Respond |
| 7. Email security controls | Enable SPF, DKIM, and DMARC on all corporate email infrastructure with DMARC set to "reject." This is a direct, low-cost control that significantly reduces phishing-based initial access, which remains the most common entry point for ransomware and espionage actors. | Protect |
Why traditional GRC platforms fall short for CPG 2.0
The challenge with CPG 2.0, and with cross-sector compliance frameworks generally, is not understanding what's required. It's demonstrating it continuously, across complex environments, without creating unsustainable manual workloads.
For critical infrastructure operators, several structural barriers make this harder than it sounds:
- IT/OT environment fragmentation — Most legacy GRC platforms were built for corporate IT. They cannot ingest evidence from operational technology environments, industrial control systems, or air-gapped networks where some of the most critical CPG 2.0 controls apply.
- Multi-framework mapping overhead — CPG 2.0 maps to NIST CSF 2.0, but most organizations are also managing TSA directives, sector-specific regulations, and internal control frameworks simultaneously. Without automated cross-framework mapping, compliance becomes a duplication exercise.
- Static audit cycles — CPG 2.0 is explicitly outcome-driven, not point-in-time. Demonstrating continuous compliance requires ongoing evidence collection, not annual assessments.
- Supply chain visibility gaps — The new third-party and MSP goals require documented, auditable processes that most organizations are only beginning to build.
How 6clicks helps critical infrastructure operators meet CPG 2.0
6clicks is built for the environments where other GRC platforms break. For critical infrastructure operators managing CPG 2.0 compliance, this means:
-
Deploy where your data must live. 6clicks can be deployed inside your environment (sovereign cloud, on-premises, or via the 6clicks certified GRC Appliance) so compliance evidence never has to leave a controlled environment. For organizations operating in air-gapped or OT-adjacent networks, this is not a feature. It is a prerequisite.
-
Map once, comply everywhere. The 6clicks Content Library includes pre-built control mappings across NIST CSF 2.0, CPG 2.0, and sector-specific frameworks. Updates to one framework propagate across all mapped controls, eliminating the duplication that makes multi-framework compliance unsustainable.
-
Collect evidence continuously. Hailey, 6clicks' AI engine, automates evidence ingestion from IT and OT systems (logs, configurations, access records, and assessment outputs) and maps them directly to controls. For CPG 2.0's new incident detection and supply chain goals, this means continuous rather than periodic assurance.
-
Operate at program scale. 6clicks' purpose-built Hub & Spoke architecture allows enterprise and government operators to manage compliance across multiple entities, regions, and frameworks from a single platform, critical for operators running sector-wide programs or managing shared service models.
Frequently asked questions
Is CISA CPG 2.0 mandatory for critical infrastructure operators?
CPG 2.0 is voluntary guidance, not a regulation. However, it is increasingly used as a baseline reference for cybersecurity best practices, with some sector-specific regulators such as the Transportation Security Administration, aligning their requirements with similar controls. For government contractors and defense-adjacent organizations, alignment with CPG 2.0 is also emerging as a strong expectation in procurement and risk assessments.
How does CPG 2.0 relate to NIST CSF 2.0?
CPG 2.0 is fully mapped to NIST CSF 2.0 and uses its six functions (Govern, Identify, Protect, Detect, Respond, and Recover) as its organizational structure. If your organization already has a NIST CSF program, CPG 2.0 gaps can be identified through a structured cross-mapping exercise. The new Govern function in NIST CSF 2.0 is particularly relevant to the CPG 2.0 supply chain and third-party goals.
What's the biggest new requirement in CPG 2.0 for OT environments?
The consolidation of IT and OT into unified goals is the most structurally significant change for OT operators. Previously, OT-specific goals were treated separately, which allowed organizations to under-invest in OT cybersecurity by treating it as a different risk category. CPG 2.0 closes that gap. The new zero trust and network segmentation goals apply to OT environments, with CISA acknowledging that implementation approaches will differ from IT.
How long do organizations have to comply with CPG 2.0?
There is no mandatory compliance deadline for the voluntary CPG 2.0 framework. However, CISA's Cost, Impact, and Ease of Implementation ratings suggest that many of the highest-priority goals (phishing-resistant MFA, asset inventory, email security) can be implemented within 30 to 90 days. Organizations should use these ratings to build a sequenced implementation roadmap rather than treating CPG 2.0 as an all-or-nothing exercise.
Can a GRC platform automate CPG 2.0 evidence collection?
Yes, and for critical infrastructure operators managing multiple concurrent frameworks, automation is not optional. Manual evidence collection across CPG 2.0, NIST CSF 2.0, and sector-specific regulations creates unsustainable workloads and introduces gaps that auditors will find. Platforms like 6clicks that support continuous evidence ingestion from IT and OT systems, cross-framework mapping, and AI-assisted control assessment can dramatically reduce the compliance burden while improving assurance quality.
Ready to see GRC that works where others can't?
Join us for our upcoming webinar, GRC that works where others can't, built for critical infrastructure operators, defense contractors, and regulated industries managing compliance in complex, high-security environments.
.png?width=282&height=526&name=GRC%20that%20works%20where%20others%20can%E2%80%99t%20(1).png)
