Last year, the Cybersecurity and Infrastructure Security Agency (CISA) released its 2022 Cross-Sector Cybersecurity Performance Goals in order to provide guidance for improving cybersecurity across government and private sector organizations. This was the initial publication from CISA and will be updated regularly with coordination from NIST, with a targeted revision cycle of at least every 6 to 12 months. A key component of this publication is to deliver a set of cybersecurity protective measures that any organization can implement.

Key Cybersecurity Challenges

CISA worked with numerous organizations across a range of industries, identifying four key cybersecurity challenges that US organizations face:

  1. Organizations have not adopted fundamental security protections
  2. Mid and small market organizations are left behind
  3. Consistent cybersecurity standards and maturity are lacking
  4. Operational Technology (OT) cybersecurity remains overlooked and under-resourced

In identifying these challenges, CISA highlights focus areas where organizations can concentrate their efforts to reduce their overall cyber risk. Additionally, these four key challenges set the foundation for establishing CISA’s Cyber Performance Goals (CPGs) and associated characteristics:

  • A prioritized subset of cybersecurity practices
  • For IT and OT
  • Prioritized for risk reduction
  • Informed by threats observed by CISA and its government and industry partners
  • Applicable across all Critical Infrastructure (CI) sectors
  • Intended to meaningfully reduce risks to both CI operations and to the American people

Generally stated, these CPGs provide an organized set of cybersecurity practices for establishing the foundation of an adequate cyber risk posture. Further, this foundation will enable organizations to build solid cybersecurity practices while managing and maintaining a strong cyber risk posture. 

For clarity, the CPGs selected are based on the following criteria:

  1. Significantly and directly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary TTPs. 
  2. Clear, actionable, and easily definable. 
  3. Reasonably straightforward and not cost-prohibitive for even small- and medium-sized entities to successfully implement. 

It should also be noted what the CPGs are not:

  • Designed to be the cybersecurity or risk management program for an organization since they do not discuss the general practices in risk management.  
  • Not fully inclusive of every cybersecurity practice an organization should employ, but rather set the foundation on which to build upon.
  • Not a maturity model and not mandated by CISA.

Understanding the Cyber Performance Goals Model

As stated above, CISA’s CPG model is designed to be actionable, targeted, and to reduce risk.  For example, section 1.1 Detection of Unsuccessful (Automated) Login Attempts of the CPG Worksheet – Account Security, defines the outcome “Protect organizations from Automated, credential-based attacks,” the Risk Addressed, Scope, and Recommended Action.  
These are also aligned to NIST Cybersecurity Framework (CSF) for reference and to enable tracking with organizational compliance and risk management practice requirements. This model is visualized so that organizations can easily interpret the intention and outcome of each goal. To this end, each goal is broken down into base components:


Description automatically generated with medium confidence

There are additional free resources and materials for practitioners that will assist in prioritization of CPGs for their organization, tracking implementation status, and communications with stakeholders. Further guidance and instructions on CPG worksheet use can be found here.

Achieving CPGs Using the Orca Security Platform

Overall, there are 38 CPGs which are divided into 8 categories. The Orca Cloud Security Platform helps organizations meet the following Cyber Performance Goals:

1.A – Identifies all cloud assets across all cloud ecosystems

1.E, 2.A-E – Identifies access control and policy violations for cloud ecosystems

2.F – Identifies network vulnerabilities that could allow an attacker lateral movement

2.G – Provides detection and alerting of all cloud assets

2.K-L – Identification of unencrypted sensitive data within the cloud ecosystem

2.O – Identifies policy and regulatory compliance gaps

2.T-U – Collects and alerts on cloud services event logs

2.V – Alerts on new, potentially unauthorized assets within or added to the environment

2.W-X – Identifies web facing assets with vulnerabilities an attacker could exploit to access the cloud ecosystem

3.A – Uses the MITRE ATT&CK framework to identify threat actor TTPS

4.B – Identifies vulnerabilities every 24 hours

4.C – Provides vulnerability identification, alerting and risk posture every 24 hours

The above list covers 21 out of the 38 CISA Cyber Performance Goals that are technical in nature and associated with cloud and multi-cloud ecosystems. Moreover, the 21 goals supported by leveraging the Orca Platform also satisfy CSF, ISO, and NIST SP800-53 control requirements. This also serves in supporting CISA’s approach to Cyber Performance Goals, making it easier to adopt and support organizations as they develop and align to regulatory requirements.

About the Orca Cloud Security Platform

Orca Security is a FedRAMP Ready cloud security platform that provides full visibility into and coverage of government cloud estates while eliminating the blind spots, cost, organizational friction, and performance hits associated with purely agent-based solutions. With no agents to install, the Orca platform deploys in minutes, and in less than 24 hours you will have a complete understanding of your cloud risk posture.

Orca provides comprehensive risk detection in cloud workloads, configurations, and identities, all from a single platform – eliminating the need to deploy and maintain multiple tools such as cloud vulnerability management, workload protection, and security posture management solutions. With its Unified Data Model, Orca has deep contextual insights into the entire cloud estate. This allows Orca to understand which risk combinations create dangerous attack paths to mission data, so security teams can focus on their top threats instead of having to sift through hundreds of alerts before even getting to think about remediation.

Would you like to learn more about the Orca Cloud Security Platform? Watch a 10-minute demo video or sign up for a 1:1 demo. Want to get more hands on? We offer a 30-day free risk assessment that includes a 30-day trial of our platform.