Skip to main content
govconCyber
Compliance Guidance

The CISA Cross-Sector Cybersecurity Performance Goals: A Plain-English Baseline for Contractors

CISA's CPGs aren't a regulation, and they won't appear in a contract clause. But they are the clearest free checklist of "what good looks like" for a small contractor — and a smart way to prepare for the binding standards that will.

Brandon Hancock, J.D., CMMC-RPPublished June 8, 2026Updated June 8, 20266 min read

**Most cybersecurity rules tell contractors *that* they must be secure; far fewer tell them *where to start*. The Cybersecurity and Infrastructure Security Agency's Cross-Sector Cybersecurity Performance Goals (CPGs) are an attempt to answer the second question. First released in October 2022 and updated to version 1.0.1 in March 2023, the CPGs are a voluntary**, prioritized set of cybersecurity practices that any organization — including a small government contractor — can use as a baseline. They are not binding and will not show up as a contract clause, but they map closely to the controls that *are* binding, which makes them a useful on-ramp.

What the CPGs Are

The CPGs distill a large universe of best practices into a short, prioritized list of high-impact actions. A few design choices make them unusually practical:

  • Organized around the NIST Cybersecurity Framework functions — Identify, Protect, Detect, Respond, and Recover — so the structure matches the framework most security programs already use.
  • Rated for cost, impact, and complexity. Each goal carries a simple rating, so a resource-constrained contractor can triage: do the high-impact, low-cost items first.
  • Tied to real-world threats. Goals are mapped to specific adversary techniques (via the MITRE ATT&CK knowledge base), so you can see *which attacks* each control blunts.
  • Built for IT and OT alike. The CPGs explicitly address operational technology, which matters for energy, water, manufacturing, and other critical-infrastructure contractors.

Crucially, the CPGs are a floor, not a ceiling — CISA designed them as a baseline of practices, not a comprehensive security program.

Why a Voluntary Baseline Matters to Contractors

If the CPGs are voluntary, why spend time on them? Three reasons.

They de-risk the requirements that are mandatory. The practices in the CPGs — asset inventory, MFA, access control, logging, incident response, patching — are the same practices underpinning FAR 52.204-21, NIST SP 800-171, and CMMC. Working the CPG list moves your NIST 800-171/SPRS posture in the right direction at the same time.

They are a triage tool for small business. A 12-person shop cannot implement 110 controls overnight. The CPGs' cost/impact/complexity ratings give you a defensible order of operations and a way to show progress to a prime or a contracting officer.

Most contractors are also critical-infrastructure entities. If you operate in defense, energy, water, healthcare, or communications, you fall within the audience CISA built the CPGs for — and within the reach of CISA's broader directives and services.

How the CPGs Fit the Rest of the Stack

Think in layers. The generally-applicable legal baseline binds every business. FAR 52.204-21 adds the fifteen basic safeguards for federal contractors. NIST SP 800-171 and CMMC apply when you handle CUI. The CPGs sit alongside that stack as a voluntary readiness checklist — a way to build the muscle the binding standards will test. They pair especially well with CISA's free services (vulnerability scanning, the "Stuff Off Search" guidance, and more) referenced throughout the goals.

What to Do With Them

1. Download the CPG checklist and walk it function by function (Identify → Protect → Detect → Respond → Recover). 2. Score yourself on each goal — implemented, in progress, scoped, or not started. 3. Sequence by the ratings — knock out high-impact, low-cost goals first (MFA, asset inventory, removing default passwords). 4. Map the overlap to your NIST 800-171 controls and SPRS score so the same work counts twice. 5. Use the free CISA services the goals reference — there's no reason to pay for what CISA offers at no cost.

Key Takeaways

  • The CISA Cross-Sector CPGs (v1.0.1, 2023) are a voluntary, prioritized baseline of high-impact cybersecurity practices organized around the NIST CSF functions and mapped to real adversary techniques.
  • They are not binding and won't appear in a clause — but they overlap heavily with FAR 52.204-21, NIST 800-171, and CMMC, so the work pulls double duty.
  • For small contractors, the cost/impact/complexity ratings make the CPGs a triage tool: a defensible order of operations and an easy way to show progress.

Build from here on How to Build a GovCon Cybersecurity Program and the Self-Assessment Checklists; see how the binding standards connect on Frameworks; and confirm what applies to your contracts with Find My Requirements.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Compliance GuidanceCISA Reopened the CIRCIA Comment Window — and the Defense Industrial Base Has a Seat on June 18CISA reopened CIRCIA stakeholder input with town halls June 15-18, 2026; the defense industrial base is scheduled June 18. The 72-hour reporting rule isn't final — its scope and burden are still open for comment.June 14, 2026 · 5 min readCompliance GuidanceDoD's Cyber-Harmonization Deadline Has Passed: What NDAA Section 866 Means for Defense ContractorsNDAA Section 866 required DoD to harmonize and trim defense-industrial-base cyber requirements by June 1, 2026. Relief will roll out gradually, but the security bar stays in place.June 9, 2026 · 6 min readCompliance GuidanceFAR 52.204-21: The 15 Basic Safeguards Every Federal Contractor Has to MeetFAR 52.204-21 is the one cybersecurity clause that applies government-wide, no matter the agency, contract size, or industry. If Federal Contract Information touches your network, you owe all fifteen safeguards.June 8, 2026 · 5 min read