CISA Cybersecurity Benchmarks Updated For Critical Infrastructure Organizations

CISA cybersecurity benchmarks received a major update for critical infrastructure. The Cybersecurity and Infrastructure Security Agency released Version 2.0 of its Cross-Sector Cybersecurity Performance Goals.

The revision adds a Govern category, unifies IT and OT guidance, and clarifies implementation. It strengthens coverage of supply chain risk, zero trust, and incident response communications.

Utilities, grid operators, water systems, hospitals, and other operators gain clearer, data driven direction for planning, funding, and overseeing enterprise security improvements.

CISA Cybersecurity Benchmarks: What You Need to Know

• Version 2.0 adds a Govern category, unifies IT and OT goals, and sharpens guidance on supply chain, zero trust, and incident response communications.

Recommended Tools to Operationalize the Benchmarks

Use these solutions to support governance, IT and OT, and incident readiness.

• Bitdefender: Advanced endpoint protection that reduces ransomware and malware risk.
• 1Password: Enterprise password and secrets management for strong authentication.
• IDrive: Secure cloud backup and recovery to support resilience and incident response.
• Tenable: Continuous exposure management to prioritize and remediate vulnerabilities.

How Version 2.0 refines CISA cybersecurity benchmarks

Version 2.0 of CISA’s Cross-Sector Cybersecurity Performance Goals incorporates three years of operational feedback. The new Govern category elevates executive accountability for risk oversight, budgeting, and outcomes aligned to CISA cybersecurity benchmarks.

CISA consolidated information technology and operational technology goals to reflect converged environments. The change reduces silos and supports unified risk management guided by CISA cybersecurity benchmarks.

New objectives emphasize supply chain threats, zero trust architecture, and incident response communications. The updates align the framework with emerging risks and practical actions organizations can take now.

CISA clarified implementation steps and added cost, impact, and difficulty descriptors. The agency also removed three standalone goals that proved confusing or underused in practice to make CISA cybersecurity benchmarks more actionable.

Why the CISA cybersecurity benchmarks matter for critical infrastructure

Introduced in 2022, the CPGs provide uniform, measurable objectives for all sectors.

They complement sector-specific goals developed by CISA for information technology and chemicals, and by other agencies for healthcare and energy, with financial sector CPGs expected. These critical infrastructure cybersecurity goals aim to break down IT and OT silos and guide strategic investment decisions.

See CISA’s CPG hub and the NIST Cybersecurity Framework. Related guidance includes zero trust adoption and full implementation, effective DDoS response, and NPM supply chain attacks.

How to use CISA cybersecurity benchmarks now

Begin by mapping existing controls and policies to the updated CPGs. Use the CISA cybersecurity benchmarks to identify quick wins, prioritize high impact improvements, and build a roadmap with accountable owners.

Integrate metrics into governance reporting so leaders can track progress and risk reduction. The CISA cybersecurity benchmarks help CISOs demonstrate outcomes, justify investments, and coordinate across security, IT, OT, and business operations.

Practical steps to operationalize the goals

To capture value from the CISA cybersecurity benchmarks, take these actions:

• Align your program with the CPGs and the NIST CSF to create a common language across teams and regulators.
• Formalize board and executive oversight with regular risk reporting tied to benchmark outcomes.
• Test and refine incident response communications across IT and OT, including external partners and regulators.
• Strengthen supplier assessments, SBOM usage, and software vetting to reduce supply chain exposure.
• Advance zero trust initiatives for identity, devices, and networks to meet priority objectives.

Implications for operators and regulators

Version 2.0 delivers clearer governance expectations, unified IT and OT guidance, and more specific targets for supply chain defense, zero trust, and incident response communications.

Organizations can use the CISA cybersecurity benchmarks to prioritize resources, align budgets, and accelerate measurable risk reduction across critical operations.

Transition effort remains a challenge. Teams must remap controls, coordinate across business units, and sustain continuous improvement.

The streamlined structure and clarified implementation guidance should reduce ambiguity and help leaders focus on outcomes rather than checklists.

Build Capabilities That Align with CISA’s Update

These tools support visibility, governance, and incident readiness across IT and OT.

• Auvik: Network monitoring and mapping that improves visibility and response speed.
• EasyDMARC: Email authentication that reduces phishing, spoofing, and impersonation.
• Optery: Automated personal information removal to limit doxxing and social engineering risk.
• Passpack: Team password management that enforces strong access controls and policies.

Conclusion

CISA cybersecurity benchmarks Version 2.0 give critical infrastructure clearer, outcome focused guidance informed by operational feedback. The Govern category underscores leadership accountability.

By consolidating IT and OT goals and refining direction on supply chain risk, zero trust, and incident response communications, the update improves planning and measurement.

Now is the time to map controls, set priorities, and align reporting. With practical steps and executive support, organizations can use the CISA cybersecurity benchmarks to drive measurable, risk based improvements.

Questions Worth Answering

What are the Cross-Sector Cybersecurity Performance Goals?

They are CISA’s prioritized, measurable objectives that help critical infrastructure reduce cyber risk with consistent, outcome focused practices across sectors.

How is Version 2.0 different from the 2022 release?

It adds a governance category, consolidates IT and OT goals, clarifies implementation, and expands guidance on supply chain, zero trust, and incident response communications.

Who should use the CISA cybersecurity benchmarks?

Utilities, grid operators, water facilities, hospitals, and other operators that manage essential services should adopt the benchmarks to guide risk and investment decisions.

Do these goals replace other frameworks like NIST CSF?

No. The CPGs complement frameworks such as the NIST CSF, translating strategy into prioritized actions and metrics aligned to CISA cybersecurity benchmarks.

What sectors have specific CPGs?

CISA issued sector specific goals for information technology and chemicals. Other agencies published goals for healthcare and energy, with financial sector goals expected.

How should executive leaders engage with Version 2.0?

Leaders should establish governance routines, resource roadmaps, and performance metrics that connect CPG adoption to risk reduction and resilience outcomes.

Where can organizations find official resources?

Access CISA’s CPG hub and the NIST Cybersecurity Framework for authoritative guidance and implementation materials.

About the Cybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency is the United States federal agency charged with protecting critical infrastructure from cyber and physical threats.

CISA issues guidance, shares threat intelligence, and works with public and private stakeholders to strengthen national resilience and incident preparedness.

Its Cross-Sector Cybersecurity Performance Goals focus organizations on high impact practices that reduce risk across industries and support consistent measurement.

About Madhu Gottumukkala

Madhu Gottumukkala serves as CISA’s acting director and emphasizes collaboration with government and industry partners.

Gottumukkala highlights feedback driven guidance and practical outcomes across agency initiatives that support resilience.

Under this leadership, Version 2.0 of the CPGs integrates real operational input and clearer direction to speed adoption.

More smart security picks

Tresorit, Tenable, and CyberUpgrade: accelerate compliance, secure data, and reduce risk today.