Are the CISA Cybersecurity Performance Goals Right for Your OT/ICS Environment?

by | Oct 1, 2025 | Blog

Securing Operational Technology (OT) and Industrial Control Systems (ICS) within critical infrastructure environments is a growing challenge. These systems often run on legacy technologies, rely on proprietary protocols, and are built with high availability (not cybersecurity) as the primary design priority. As a result, many traditional IT security controls simply don’t translate to OT environments without significant adaptation.

Recognizing these challenges, the Cybersecurity and Infrastructure Security Agency (CISA) developed a set of Cross-Sector Cybersecurity Performance Goals (CPGs) to help organizations, especially those in critical infrastructure, implement foundational cybersecurity practices tailored to OT/ICS realities.

In this post, we’ll explore: 

  • What the CISA CPGs are 
  • Why they matter for OT/ICS security programs 
  • The benefits and challenges of using the CPGs in OT/ICS environments 
  • How to get started using them to enhance resilience and reduce cyber risk 

Background on the CISA CPGs

Launched in 2022, the CISA CPGs were developed as a baseline set of voluntary cybersecurity practices for critical infrastructure owners and operators. The CPGs aim to help organizations improve their security posture through clear, actionable, and prioritized guidance.

The goals were created through a collaborative process involving: 

  • Private sector partners
  • Federal agencies 
  • Academic and technical institutions  

This collaboration ensures the CPGs reflect not only best practices but also real-world operational constraints across sectors like energy, transportation, water, manufacturing, and more. 

The goals and recommendations in the CPGs are based on well-established cybersecurity frameworks like the NIST Cybersecurity Framework, as well as CISA’s own incident response and threat intelligence data. The intent is to distill the most impactful cybersecurity practices into a concise, easy-to-use set of guidelines.

The CPGs are organized around the five core functions of the NIST Cybersecurity Framework:

  1. Identify – Understand the cybersecurity risks facing your organization.
  2. Protect – Implement safeguards to limit or contain the impact of a cybersecurity event. 
  3. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  4. Respond – Take the right steps when a cybersecurity event is detected.
  5. Recover – Restore any capabilities or services impaired due to a cybersecurity event.

The CPGs provide specific, actionable recommendations within these core functions to help critical infrastructure organizations improve their overall cybersecurity posture.

Overview of the CISA CPGs

The CISA CPGs span a comprehensive set of best practices tailored specifically for OT/ICS environments. These recommendations are organized around the five core functions of the NIST Cybersecurity Framework providing a familiar structure while delivering OT-relevant guidance. Let’s take a closer look at key recommendations across the five core functions:

Identify
  • Establish a single leader responsible and accountable for OT cybersecurity
  • Maintain a comprehensive inventory of all OT assets, including connections to IT systems
  • Improve working relationships and mutual understanding between IT and OT security teams
Protect
  • Change default passwords on all OT devices before connecting them to networks
  • Implement multi-factor authentication (MFA) for remote access to OT systems
  • Disable macros and other executable content in productivity suites by default
  • Secure and monitor all connections between IT and OT networks
Detect
  • Document relevant cybersecurity threats and adversary tactics, techniques, and procedures (TTPs)
  • Collect and centralize security logs from OT devices and networks
Respond
  • Maintain detailed incident response plans that cover both IT and OT systems
  • Promptly report confirmed cybersecurity incidents to CISA and other relevant authorities
Recover
  • Develop comprehensive backup and recovery procedures for business-critical OT assets
  • Regularly test incident response and recovery plans through tabletop exercises

These are just a few highlights, the full CPG document covers over 30 specific recommendations across the five core functions.

Benefits of Using the CISA CPGs

For critical infrastructure organizations, the CISA CPGs offer a uniquely relevant and practical roadmap for enhancing OT/ICS security. Unlike more generic frameworks, the CPGs were developed with the operational realities and limitations of industrial environments in mind. Here are four reasons why the CPGs deserve strong consideration in your cybersecurity strategy:

1. Designed Specifically for Critical Infrastructure

The CPGs were created with a clear focus on the distinct challenges faced by critical infrastructure operators including legacy systems, real-time operational constraints, limited staffing, and the need for high availability. They reflect a deep understanding of the OT/ICS landscape and provide realistic guidance for improving security without disrupting operations.

2. Actionable Guidance

Rather than offering vague principles, the CPGs present step-by-step, prioritized recommendations that can be implemented at various stages of maturity. This practical approach makes them especially valuable for smaller or resource-constrained organizations that need a clear starting point for securing their OT assets.

3. Alignment with Industry Standards

The CPGs are intentionally aligned with and complement other well-known cybersecurity frameworks like NIST CSF, NERC CIP, and ISA/IEC 62443. This alignment allows organizations to map CPG recommendations to existing compliance or governance models, helping avoid duplication and improve integration.

4. Government-Backed Authority

As a product of CISA, the CPGs carry the weight and credibility of the U.S. government’s lead civilian cybersecurity agency. This backing can help organizations gain leadership support, justify investments, and demonstrate alignment with national-level guidance.

Ultimately, the CISA CPGs provide a clear, comprehensive, and authoritative roadmap for improving OT/ICS cybersecurity in line with industry best practices. Organizations that adopt the CPGs can enhance their overall security posture and better protect against the growing threat landscape.

Challenges with Using the CISA CPGs

While the CISA CPGs provide valuable, high-level guidance for improving OT/ICS cybersecurity, they are not without limitations. Organizations adopting the CPGs should be aware of a few key challenges that may affect implementation, measurement, and long-term effectiveness such as:

1. Limited Technical Implementation Guidance

The CPGs are designed to be strategically focused and broadly applicable, which means they lack the granular technical details and implementation instructions that operational teams often need. As a result, translating the guidance into concrete security controls can require significant time and resources.

2. Lack of Built-In Metrics for Progress Tracking

Unlike other cybersecurity frameworks that include Key Performance Indicators (KPIs) or maturity models, the CPGs do not include embedded metrics to track progress or measure the effectiveness of controls over time. This makes it difficult for organizations to quantify the impact of their efforts. To address this, organizations may need to layer the CPGs onto an existing measurement framework or develop their own success criteria.

3. Variations Across Sectors and Environments

Critical infrastructure spans a wide range of sectors each with distinct operational realities, regulatory obligations, and threat profiles. While the CPGs aim to be broadly applicable, they may oversimplify or overlook industry-specific nuances, particularly for larger or more complex organizations. For this reason, larger organizations should look to use the CPGs to complement another framework or regulatory requirement.

To successfully leverage the CISA CPGs, organizations must go beyond simply reviewing the guidance, they need to critically evaluate how each goal applies to their specific OT/ICS environment and translate it into operationally viable actions. Ongoing collaboration with CISA, industry groups, and peer organizations can also provide valuable insights, promote shared learning, and help overcome implementation challenges.

Next Steps for Getting Started with the CISA CPGs

If your organization operates in critical infrastructure and is ready to strengthen its OT/ICS cybersecurity posture, the CISA CPGs offer a structured, prioritized starting point. Here are some recommended next steps for getting started with the CISA CPGs:

1. Familiarize Yourself with the CPGs

Thoroughly review the full CISA CPG document. Understanding the intent, structure, and recommended actions will help you begin mapping them to your existing cybersecurity and operational programs.

2. Assess Your Current Maturity

Conduct a gap analysis to identify which CPG recommendations you’ve already implemented and where you have room for improvement. CISA provides a helpful CPG Checklist to support this self-assessment. Use it to identify priority areas for risk reduction based on your current posture.

3. Develop an Implementation Roadmap

Create a phased plan for rolling out high-priority CPG recommendations across your OT/ICS systems. Tailor the roadmap to account for resource constraints, legacy technology limitations, and operational continuity requirements. This ensures your rollout is both impactful and realistic. 

4. Establish Metrics and KPIs

Work to define metrics and KPIs that can help you measure the effectiveness of your CPG implementation and track progress over time. Without metrics, it’s difficult to demonstrate value or sustain momentum.

5. Engage with CISA and Peer Organizations

Stay connected with CISA and join industry groups or information sharing networks to share lessons learned, collaborate on solutions, and keep up with the latest CPG updates and guidance.

6. Align CPGs with Existing Compliance Programs

Review how the CPGs recommendations map to existing regulatory frameworks like NERC CIP or ISA/IEC 62443. CISA provides the Complete CPGs Matrix/Spreadsheet document, which includes mappings to other standards and frameworks. This mapping helps you leverage CPG adoption as evidence of compliance while reducing redundancy in control implementation. 

At Enaxy, we have deep experience helping critical infrastructure organizations strengthen their OT/ICS cybersecurity. Whether you’re just beginning to explore the CISA Cybersecurity Performance Goals or looking to integrate them into an existing program, our team brings the expertise to move you forward with confidence.

We can help you:

  • Assess your current security posture
  • Prioritize and map relevant CPGs to your environment
  • Develop a practical, phased implementation roadmap
  • Deliver ongoing support and performance tracking

The CPGs are a powerful tool, but only if you can translate them into action.Contact us at info@enaxy.com to learn how Enaxy can help your organization take the next step toward a safer, more resilient OT/ICS environment. Let’s secure what matters most.