Understanding the CISA’s CPG 2.0 update

In the fast-moving world of cybersecurity, "baseline security" is almost always a moving target. On December 11, 2025, CISA officially raised the security bar with the release of the Cybersecurity Performance Goals (CPG) 2.0.

If version 1.0 was about identifying "what" to do, version 2.0 talks about "how" to govern and scale those security actions across increasingly complex environments and processes. This update isn't just a minor refresh or even a year-end rethink. Instead, it is a strategic realignment with the latest threat landscape, operational imperatives and the NIST Cybersecurity Framework (CSF) 2.0.

So here is what every CISO, IT manager, security analyst, SOC team member and board member needs to know about the new CPG Report 2.0.

Before we move forward, don’t forget to check out our initial investigation and analysis report on the Nissan-Red Hat breach here.

The ascend of "Govern": Security starts at the top

The most significant shift in CPG 2.0 is the full integration of the Govern function. While the previous version focused heavily on technical controls, 2.0 recognizes that even the best tools fail without organizational accountability.

Leadership accountability: The updated goals explicitly call for defined cybersecurity responsibilities at the executive level.
Risk management: It pushes organizations to treat cyber risk as a business risk, moving away from siloed IT conversations.
Strategic integration: Security is no longer an "add-on"—it must be baked into day-to-day operations and capital investment planning.

Breaking the silos: Unifying IT and OT security goals

For years, Operational Technology (OT) and Information Technology (IT) have been treated as different worlds. CISA 2.0 effectively ends that era. The new report consolidates OT-specific goals into Universal Goals.

By creating a unified framework, CISA is helping organizations, especially small and medium-sized ones, manage their entire digital footprint without needing separate playbooks for their office networks and their factory floors or water pumps. This is a huge step towards simplifying SecOp goals.

New goals for modern threats

The 2.0 report introduces new goals while removing three that were deemed duplicative or underutilized. These additions address the specific tactics we’ve seen dominate the threat landscape over the last year:

Managed Service Provider (MSP) risk: New goals for managing third-party providers with deep system access.
Least privilege and zero trust: Clearer expectations for implementing "Principles of Least Privilege" to stop lateral movement.
Malicious code detection: A dedicated focus on identifying and blocking unauthorized code before it executes.
Incident communication: Standardized procedures for how organizations talk to stakeholders during a crisis.

Better data for better decisions

CISA has overhauled the implementation ratings in the report. Each goal now includes improved metrics for:

Cost: What is the actual financial burden?
Impact: How much does this actually reduce risk?
Complexity: How hard is this to maintain long-term?

These ratings provide security teams with a powerful tool to justify budgets to the board. Instead of asking for "more security," you can now present a data-driven case for high-impact, low-cost "quick wins" outlined in the CPGs.

How to get started with CPG 2.0

The CPGs remain voluntary, but they are rapidly becoming the "gold standard" for what a foundational security posture looks like in the eyes of regulators and insurance providers.

Conduct a Gap Analysis: Use the new CPG 2.0 checklist to see where your current program stands.
Focus on the "Govern" Function: If your leadership isn't involved in the conversation yet, use the new 2.0 reporting structure to bring them in.
Leverage CISA Resources: Look for the new CSET (Cyber Security Evaluation Tool) module coming in Q1 2026 to automate your assessment.

The Bottom Line: CISA CPG 2.0 isn't about doing more. Instead, it’s about doing the right things more effectively and to achieve more aligned outcomes. By aligning with NIST CSF 2.0 and unifying IT/OT security, CISA has provided a roadmap that is finally as integrated as the systems we are trying to protect.

You can download the complete document here.

Learn more about the threat landscape this document is referring to, here.

See Shieldworkz OT Security platform in action, here.