Analysis

CISA published Cross-Sector Cybersecurity Performance Goals 2.0 (CPG 2.0), a voluntary baseline aligned with NIST CSF 2.0 that adds a new GOVERN function to formalize leadership accountability and risk oversight, consolidates OT and IT goals for cross-domain applicability, and introduces net-new goals addressing MSP risk, principle of least privilege, and incident communication while removing three duplicative goals. The package includes improved Cost/Impact/Ease of Implementation ratings, enhanced methodology and documentation, and schedules a new CSET assessment module and updated checklist for Q1 2026. CISA also released initial Sector-Specific Goals (SSGs) for Chemical, Energy (distribution and distributed energy resources) and Healthcare, with IT SSGs forthcoming and Financial Services SSGs targeted for winter 2025; the guidance explicitly aims to help small- and medium-sized critical-infrastructure operators prioritize high-impact actions. The explicit alignment to NIST CSF 2.0 and the addition of sector SSGs make these voluntary goals a ready benchmarking tool for procurement and maturity assessments. Market implications include modestly positive demand signals for compliance-, governance-, MSP-controls- and identity-management-focused vendors and increased scrutiny of MSP contracts, with a market-impact score of 0.3 and sentiment labeled mildly positive. Key execution risks are voluntary adoption timelines and uneven sector uptake, so near-term regulatory enforcement remains uncertain.