CISA Updates Voluntary Cybersecurity Performance Goals for Critical Infrastructure
The Cybersecurity and Infrastructure Security Agency has issued a new version of its voluntary Cybersecurity Performance Goals, introducing more granular, measurable controls for critical infrastructure sectors and aligning them with the latest NIST guidance. The update tightens expectations around governance, identity management, incident response, and supply chain assurance, with particular emphasis on health care and other highly targeted verticals, and is intended to serve as a practical baseline architecture for operators that lack mature security programs.
Strategic Shift Toward Measurable, Sector-Agnostic Baselines
The updated goals move from largely conceptual recommendations toward prescriptive, outcome-based controls that operators can directly measure and audit. Instead of generic exhortations to improve security, the framework now articulates specific expectations around asset inventories, configuration management, vulnerability remediation timeframes, and incident detection capabilities. This approach is designed to reduce the gap between strategic intent and day-to-day implementation, especially for organizations with limited internal security expertise.
The goals are framed as a common baseline across all critical infrastructure sectors, but they explicitly recognize that resource constraints and risk profiles differ by industry. The structure emphasizes foundational controls that are broadly applicable, such as identity and access management, logging, backup hygiene, and governance, which can then be extended by sector-specific regulatory or contractual requirements. This baseline orientation is intended to provide a floor, not a ceiling, for defensive capabilities.
Alignment With Current NIST Cybersecurity Standards
The new version explicitly aligns with the most recent iterations of NIST’s cybersecurity frameworks and special publications, including updated treatment of governance, supply chain risk, and emerging technologies. By referencing the same control families and terminology, it becomes easier for organizations already working within NIST-based programs to map the voluntary goals into their existing control catalogs and risk registers.
This alignment also streamlines audit and compliance activities. Organizations can demonstrate adherence to both NIST-derived requirements and the voluntary goals using a single set of artifacts, such as control implementation statements, test plans, and continuous monitoring dashboards. The closer coupling between the two bodies of guidance reduces duplication of effort and helps ensure that recommended practices are consistent across federal and sector-specific documents.
Governance, Accountability, and Executive Oversight
The update gives substantially more attention to cybersecurity governance and executive accountability than prior iterations. It stresses that boards and senior leadership must treat cybersecurity as an enterprise risk management function, not solely an IT concern, and that responsibilities for cyber risk acceptance and remediation should be explicitly assigned. This includes defining decision rights around risk tolerance, exception handling, and investment priorities.
The goals encourage organizations to formalize governance structures such as cybersecurity steering committees, regular board-level reporting, and integration of cyber risk metrics into overall corporate performance dashboards. They also underscore the importance of documented policies, clear escalation paths, and repeatable decision processes. This focus is intended to counter fragmented, ad hoc security decision-making that often leads to inconsistent implementation and insufficient resourcing.
Operational Controls: Identity, Detection, and Resilience
On the operational side, the updated goals refine expectations across identity and access management, threat detection, and resilience engineering. Identity requirements emphasize strong authentication for privileged accounts, principled use of multi-factor authentication, least-privilege role design, and regular access recertification. The guidance recognizes that identity systems are critical control planes whose compromise can rapidly escalate into systemic incidents.
For detection and response, the goals call for comprehensive logging across critical systems, centralized log aggregation, and correlation capabilities that enable timely detection of anomalous behavior. Organizations are encouraged to define service-level objectives for incident triage and containment, supported by tested runbooks that cover both technical and business decision flows. Resilience-related guidance stresses the need for immutable, regularly tested backups, network segmentation for blast-radius reduction, and clearly prioritized recovery sequences for critical services.
Supply Chain and Third-Party Risk Management
The update reflects the growing impact of software supply chain and third-party dependencies on overall risk posture. It recommends that critical infrastructure entities maintain inventories of key vendors and service providers, define minimum security expectations in contracts, and implement ongoing assurance activities such as security questionnaires, independent assessments, and continuous monitoring of exposed attack surfaces. This is positioned as a core governance duty, rather than a peripheral procurement function.
Technical expectations include validating software integrity through mechanisms such as code signing verification, controlling administrative access granted to vendors, and enforcing network and identity segmentation for third-party connections. Operators are also encouraged to plan for the operational impact of supplier compromise or outage, including predefined failover strategies and communication protocols. These measures are meant to reduce the systemic risk posed by concentrated dependencies on a small number of technology or service providers.
Sector Spotlight: Health Care and Other High-Risk Verticals
Health care receives specific attention due to its combination of life-safety implications, legacy technology, and constrained resources. The goals highlight the need for accurate inventories of clinical devices, segregation of medical networks from general IT networks, and tailored patching and compensating control strategies for systems that cannot be easily updated. Emphasis is also placed on protecting electronic health records and other sensitive patient data through rigorous access controls and encryption.
Other highly targeted sectors, such as energy and transportation, are implicitly addressed through the broader focus on operational technology security and resilience. While the document remains voluntary, its structure and terminology are designed so that sector regulators, insurance carriers, and large ecosystem partners can reference it in their own guidance and requirements. This creates a path for the goals to influence actual operating practices even without direct regulatory force.
Implementation Considerations for Resource-Constrained Operators
Recognizing that many critical infrastructure entities operate with limited security staff and budget, the update stresses prioritization and phased implementation. Organizations are encouraged to perform gap assessments against the goals and then sequence remediation work based on potential risk reduction and implementation complexity. The measurable nature of the new controls lends itself to simple maturity scoring, enabling operators to track progress over time and justify targeted investments.
The guidance also implicitly supports the use of managed security services, shared-sector utilities, and automation to compensate for skills shortages. By making expectations more concrete, it becomes easier to define and verify the responsibilities of external providers and to procure solutions that directly address identified gaps. This pragmatic orientation is intended to help even smaller operators move toward a defensible, continuously improvable security posture.