{"id":187631,"date":"2026-02-12T03:00:00","date_gmt":"2026-02-12T08:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/12\/cisa-and-cross-sector-cybersecurity-performance\/"},"modified":"2026-02-15T14:50:25","modified_gmt":"2026-02-15T19:50:25","slug":"cisa-and-cross-sector-cybersecurity-performance","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/12\/cisa-and-cross-sector-cybersecurity-performance\/","title":{"rendered":"CISA and Cross-Sector Cybersecurity Performance\u00a0"},"content":{"rendered":"

CISA and Cross-Sector Cybersecurity Performance\u00a0<\/a><\/p>\n

https:\/\/securityboulevard.com\/2026\/02\/cisa-and-cross-sector-cybersecurity-performance\/<\/a><\/p>\n

Publish Date: 2026-02-12 03:00:00<\/a><\/p>\n

Source Domain: securityboulevard.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n\t\t\tCISA\u2019s Cross-Sector Cybersecurity Performance Goals (CPGs) reflect the federal government\u2019s effort to raise the baseline for basic cybersecurity effectiveness. CPG 2.0 breaks away from the idea of a strict framework, instead establishing a strategic, outcome-driven baseline for cybersecurity performance that cuts across industries, operating environments, and organizational maturity levels.
\nFor CISOs, CIOs, and compliance officers, the value of CPG 2.0 lies in its reframing of cybersecurity as a set of measurable performance expectations anchored in governance and risk management.
\n\u00a0<\/p>\n

Why Cross-Sector Performance Goals Exist at All
\nMost organizations already operate within multiple cybersecurity frameworks and regulatory jurisdictions, all of which call for overlapping and (in some cases) competing resources. While these frameworks provide structure, they often fail to answer a more fundamental question about risk management.
\nCPGs were created to define the highest-impact cybersecurity outcomes that organizations should reasonably achieve, regardless of industry, as a baseline. They are intentionally sector-agnostic, reflecting a growing consensus among policymakers and practitioners that cybersecurity resilience is not achieved by implementing everything, but by prioritizing the right things and measuring their effectiveness.
\n\u00a0
\nWhat Makes CPG 2.0 Different From Traditional Frameworks
\nThe original CPGs were introduced in 2022 to set up an agnostic set of best practices and outcomes that would benefit any agency or business. The most notable change during the move to 2.0 is the explicit elevation of governance to a first-class cybersecurity function. By foregrounding governance, CPG 2.0 reframes cybersecurity as a leadership responsibility rather than a purely technical domain. For CISOs and CIOs, this provides a stronger foundation for engaging boards and executives in meaningful risk discussions. For compliance officers, it creates a clearer line between cybersecurity activities and enterprise risk management.
\n\u00a0
\nCPG 2.0 in Practice: The Six Functions and Their Core Goals<\/p>\n

\u00a0
\nGovern: Leadership, Accountability, and Cyber Risk Strategy
\nThe inclusion of Governance as a core function is a defining innovation of CPG 2.0. It transforms cybersecurity from a technical discipline into a strategic enterprise risk capability.
\nGovernance goals require leadership engagement in cybersecurity oversight, straightforward assignment of roles and responsibilities, and integration with broader business risk strategy. They also emphasize managing risks from third-party providers, making cybersecurity a board-level conversation rather than an IT task.
\nFrom an executive perspective, this means:<\/p>\n

Establishing risk tolerances and priorities in line with business objectives.
\nEnsuring cyber strategy is reflected in enterprise planning, budgeting, and risk reporting.
\nHolding business owners accountable for cyber performance outcomes.<\/p>\n

By embedding governance at the core, CPG 2.0 reinforces that cybersecurity performance must be visible to the C-suite and board, not buried in tactical reports.
\n\u00a0
\nIdentify: Understanding the Environment and Risk Landscape
\nThe Identify function requires organizations to gain a rich, contextual awareness of assets, dependencies, and risks. This goes beyond basic inventories to include supply chain exposure, third-party software dependencies, and organizational priorities.
\nPerformance goals under Identify push teams to:<\/p>\n

Understand which assets are critical to mission and operations.
\nRecognize how changes (such as third-party integrations or technology rollouts) expand the risk landscape.
\nValidate asset and vulnerability data against real-world risk scenarios.<\/p>\n

This capability is essential for executive-level decision-making because it informs discussions on where investment has the greatest impact and where exposure could disrupt revenue or operations.
\n\u00a0
\nProtect: Controls That Reduce Risk and Limit Impact
\nProtect goals spell out expectations for defenses that reduce risk exposure. These include identity and access management, network segmentation, secure configurations, encryption, and backup strategies.
\nRather than listing controls, CPG 2.0 reframes them as performance outcomes, whether these safeguards genuinely limit the effectiveness of an attack and contain the blast radius in the event of an incident.
\nFor example, goals under Protect emphasize:<\/p>\n

Least-privilege and strong authentication.
\nSegmentation that limits lateral movement.
\nSecurity measures that reduce operational risk without impeding business processes.<\/p>\n

\u00a0
\nDetect: Turning Noise into Insight
\nThe difference between a reactive and a proactive business is in their ability to detect security issues. Detection capabilities are a key differentiator between organizations that react to incidents and those that respond proactively. CPG 2.0 frames detection as a performance metric that measures visibility, context, and the timely identification of adverse events.
\nSpecific performance expectations include:<\/p>\n

Systems that detect malicious code and abnormal activity in a meaningful timeframe.
\nThe ability to distinguish between benign and malicious events with precision.
\nMechanisms that support escalation, investigation, and action.<\/p>\n

For executives, detection performance correlates with time to awareness, a metric that directly impacts incident severity and operational impact.
\n\u00a0
\nRespond: Coordinated, Effective Actions Under Pressure
\nResponse is where governance and preparedness visibly intersect with operational capability. CPG 2.0 expects organizations to not only have response plans but also exercise, refine, and coordinate them across functions.
\nPerformance goals in this function emphasize:<\/p>\n

Clear communication protocols that involve technical teams, legal, communications, and leadership.Predefined decision rights for containment and remediation.
\nProcesses that reduce confusion and accelerate effective action.<\/p>\n

Organizations that routinely exercise response plans and capture lessons learned demonstrate resilience, reducing potential business impact and legal risk.
\n\u00a0
\nRecover: Restoration and Organizational Learning
\nRecovery often takes a back seat to preventive security efforts, but this is a critical mistake. An organization\u2019s ability to recover from attacks is just as crucial as its prevention. CPG 2.0 elevates system recovery as a process tied to continuity and improvement, both of which are measurable. Recovery goals look beyond restoring systems to ensuring operations return to normal with minimal disruption, and lessons from the incident improve future resilience.
\nThis means:<\/p>\n

Validating restore processes and timelines.
\nEnsuring communication during recovery is aligned with stakeholder expectations.
\nEmbedding learnings into future planning and investment decisions.<\/p>\n

\u00a0
\nOperationalizing CPG 2.0 Without Turning It Into Another Checklist
\nThe greatest risk of rote compliance is that it becomes a performance, a checklist, rather than a set of best practices.\u00a0 CPG 2.0 can avoid this trap only if leaders resist the urge to treat it as another mapping exercise.
\nSuccessful organizations will use CPG 2.0 as a strategic lens to evaluate whether cybersecurity aligns with the outcomes leadership actually cares about. This often involves integrating CPG concepts into enterprise risk management, budget planning, and board reporting rather than isolating them within security programs.
\nSuccessful organizations will learn from CPGs rather than view them as a ruleset. Furthermore, they\u2019ll see these lessons as ones with outcomes. That is, the result isn\u2019t \u201cwe implemented the right control,\u201d but rather, \u201cthis control improves response times\u201d or \u201cthis practice reduces incidents of data exposure.\u201d
\n\u00a0
\nRely on Foundational Best Practices with Lazarus Alliance
\nCPG 2.0 provides a language and structure for that conversation. It enables CISOs, CIOs, and compliance officers to move beyond defensive explanations toward proactive, performance-based narratives that resonate with executives.
\nTo learn more about how Lazarus Alliance can help, contact us.\u00a0<\/p>\n

FedRAMP
\nGovRAMP
\nNIST 800-53
\nDFARS NIST 800-171
\nCMMC
\nSOC 1 & SOC 2
\nENS
\nC5
\nHIPAA, HITECH, & Meaningful Use
\nPCI DSS RoC & SAQ
\nIRS 1075 & 4812
\nCJIS
\nLA DMF
\nISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
\nNIAP Common Criteria \u2013 Lazarus Alliance Laboratories
\nAnd dozens more!<\/p>\n

[wpforms id=\u201d137574\u2033]
\nThe post CISA and Cross-Sector Cybersecurity Performance\u00a0 appeared first on .<\/p>\n

*** This is a Security Bloggers Network syndicated blog from MichaelPeters.org authored by Michael Peters. Read the original post at: https:\/\/michaelpeters.org\/cisa-and-cross-sector-cybersecurity-performance\/
<\/p>\n","protected":false},"excerpt":{"rendered":"

CISA and Cross-Sector Cybersecurity Performance\u00a0 https:\/\/securityboulevard.com\/2026\/02\/cisa-and-cross-sector-cybersecurity-performance\/ Publish Date: 2026-02-12 03:00:00 Source Domain: securityboulevard.com Author: Using…<\/p>\n","protected":false},"author":1,"featured_media":187632,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityboulevard.com\/wp-content\/uploads\/2018\/01\/TwitterLogo-002.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-187631","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/187631"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=187631"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/187631\/revisions"}],"predecessor-version":[{"id":187633,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/187631\/revisions\/187633"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/187632"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=187631"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=187631"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=187631"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}