🔴 CISA CPG 2.0 Toolkit

Meet CISA's Cross-Sector Cybersecurity Performance Goals with
Ready-to-Run Tabletop Exercises

CISA's Cross-Sector Cybersecurity Performance Goals (CPG 2.0) are a voluntary, prioritized baseline of cybersecurity practices for critical infrastructure owners and operators, organized around the NIST CSF functions — Identify, Protect, Detect, Respond, and Recover. The 38 goals include CPG 2.X — Test the Response Plan, which explicitly calls for exercising the incident response plan at least annually. CyberICS delivers exactly that: 300+ ready-to-run OT/ICS tabletop scenarios, AI-generated After Action Reports, and audit-ready evidence packages mapped to specific CPG goal IDs across all 16 critical infrastructure sectors.

CPG 2.X — Test the Response Plan
CPG 4.A / 4.B — Incident reporting & response
CPG 5.A — Incident planning & preparedness
CPG 1.A — Asset inventory
All 16 critical infrastructure sectors
Start Free — 14-Day Trial 🏛️ See the CISA CTEP Toolkit → Talk to Our CISA CPG Team
Compliance Note: CyberICS exercise scenarios and evidence artifacts support the voluntary CISA Cross-Sector Cybersecurity Performance Goals (CPG 2.0) as part of a structured readiness program. They are not a determination of CPG adoption or compliance — the CPGs are voluntary, and prioritization decisions rest with your organization in consultation with your Sector Risk Management Agency (SRMA) and qualified advisors. CyberICS handles only unclassified exercise and training content and the records it generates.
Who the CPGs Are For

Critical Infrastructure Owners, Operators & the Under-Resourced

CISA designed the Cross-Sector CPGs as a common, prioritized starting point for every critical infrastructure owner and operator — and especially for the "target-rich, resource-poor" organizations that face nation-state and ransomware threats without enterprise-scale security budgets. The goals are deliberately voluntary, outcome-focused, and applicable across all 16 sectors.

Critical Infrastructure Owners & Operators

Across All 16 Sectors

The CPGs apply to every owner and operator of the systems and assets that underpin national critical functions. They provide a sector-agnostic baseline that organizations can adopt regardless of size, mapped to the NIST CSF functions so they integrate with existing programs.

  • Energy — electric, oil & natural gas (IT + OT/ICS/SCADA)
  • Water & Wastewater Systems
  • Healthcare & Public Health
  • Transportation, Communications & IT
  • Critical Manufacturing, Chemical, Food & Agriculture
Tabletop exercises directly satisfy CPG 2.X — Test the Response Plan and exercise CPG 4.A / 4.B incident reporting and response, with evidence mapped to each goal ID.
Target-Rich, Resource-Poor Organizations

CISA's Priority Audience

CISA built the CPGs to help under-resourced critical infrastructure — small utilities, rural hospitals, municipal water systems, and lean manufacturers — adopt the highest-impact practices first. Exercises are one of the most cost-effective ways to validate readiness without large tooling investments.

  • Small & rural water and wastewater utilities
  • Municipal & cooperative electric providers
  • Rural and community hospitals & clinics
  • Small & mid-size manufacturers with OT/ICS
  • K-12, local government & regional transit operators
CPG 5.A incident planning and preparedness is achievable for any organization — a guided CyberICS exercise produces the plan-validation evidence without a dedicated security team.
🔄

A Voluntary Baseline — But the Exercise Goal Recurs

CPG 2.X calls for testing the incident response plan at least annually through tabletop exercises or functional simulations. A standing CyberICS exercise program turns that recurring goal into a repeatable, evidence-generating cycle — in your team's working language — while reinforcing the other Identify, Protect, Detect, Respond, and Recover goals.

🇬🇧 English 🇫🇷 Français 🇵🇹 Português 🇪🇸 Español 🇩🇪 Deutsch 🇮🇹 Italiano
CISA CPG Mapping

CISA CPG Goals → CyberICS Capability

The CPGs name specific cyber practices across the NIST CSF functions. Tabletop exercises directly satisfy the response-plan testing, incident-reporting, and incident-planning goals, and generate evidence that supports several more.

CISA Cross-Sector CPG Reference

Coverage: Core = exercise directly satisfies the goal  |  Supporting = exercise validates / documents  |  Partial = scenario content covers the risk domain

CPG Goal Goal Name Goal Summary CyberICS Capability Coverage
CPG 2.X Test the Response Plan Exercise the incident response plan at least annually through tabletop exercises or functional simulations The core CyberICS deliverable — guided and live tabletop exercises that test the response plan end-to-end, with the AI AAR documenting what was exercised and the gaps surfaced Core
CPG 4.A Incident Reporting Report cyber incidents to CISA and other relevant parties within required timeframes A reporting-drill scenario rehearses the who / what / timeline of the CISA notification under realistic time pressure, captured in the session transcript Core
CPG 4.B Incident Response & IR Plans Maintain and execute documented incident response plans covering both IT and OT environments Scenarios drive the IR plan through containment, mitigation, and restoration decisions; the AAR maps each action back to the plan Core
CPG 5.A Incident Planning & Preparedness Establish and document incident response and recovery plans for critical systems and OT processes Running the exercise validates the plan and exposes gaps; the AAR plus gap tracking feed straight back into improving preparedness Core
CPG 1.A Asset Inventory Maintain an up-to-date inventory of hardware and software assets across IT and OT environments Scenario injects test whether the team can locate and reason about affected assets; gaps in the inventory surface during the exercise and are logged Supporting
CPG 2.S Network Segmentation (IT/OT) Segment networks and isolate OT from corporate IT; control all IT/OT interconnections Lateral-movement and IT-to-OT pivot scenarios pressure-test segmentation decisions and reveal whether boundaries hold under attack Partial
CPG 2.E Separate User & Privileged Accounts Segregate standard user accounts from administrative and privileged accounts for all staff Credential-abuse and privilege-escalation injects exercise the team's understanding of account separation and how it limits blast radius Supporting
CPG 3.A Detecting Relevant Threats & TTPs Detect and respond to relevant threats and adversary tactics, techniques, and procedures (TTPs) Scenarios are built around real MITRE ATT&CK for ICS techniques, exercising whether the team recognizes and acts on adversary TTPs Partial
CPG 1.B Organizational Cybersecurity Leadership Designate accountable cybersecurity leadership and embed cyber risk in organizational governance Leadership-level exercises put executives and decision-makers in the loop, producing the governance and accountability evidence the goal expects Supporting
Platform Capabilities

How CyberICS Supports Your CISA CPG Program

Three core capabilities work together to deliver, document, and evidence the response-plan testing, incident-reporting, and incident-planning CPGs.

🎲
CPG 2.X · 5.A

Structured Exercise Execution

Live Session mode runs real-time, multi-participant tabletop exercises that test the incident response plan. Every step, response, and host action is timestamped — producing the auditable record that demonstrates CPG 2.X response-plan testing actually happened.

  • Per-participant participation & completion record
  • Step-by-step response walkthrough log
  • Session date, scope, and duration metadata
  • Proof the response plan was exercised annually
📋
CPG 4.A · 4.B

AI-Generated After Action Report

Immediately after each exercise, CyberICS generates a structured AAR documenting the response actions taken, gaps identified, and the specific CPG goal IDs exercised — the artifact a CISO or operations lead files as proof the drill ran and what it found.

  • Incident response action sequence
  • CPG goal-ID references per gap
  • Corrective-action recommendations
  • Multilingual output (EN/FR/PT/ES/DE/IT)
📄
CPG Coverage Mapping

CISA CPG Evidence Package

The Compliance Dashboard assembles a CPG evidence package — response-plan test records, incident-reporting drills, exercise completion, and a goal-by-goal coverage map — so leadership can show concrete progress against the Cross-Sector CPGs to a board, regulator, or SRMA.

  • Goal-by-goal CPG coverage map
  • Response-plan test & reporting-drill records
  • Gap & remediation timeline by CPG goal
  • Exercise completion roster
Scenario Library

CISA CPG-Relevant Scenarios Across Critical Infrastructure

Six high-fidelity scenarios spanning the critical infrastructure sectors the CPGs target — each one exercises the response plan and generates evidence mapped to specific CPG goal IDs, with AI facilitator briefing included.

Energy · Electric
CPG 2.X · 4.B
Ransomware Cripples a Utility's OT Network

Ransomware spreads from corporate IT toward the SCADA environment of an electric utility. The team must test the response plan, decide on isolation, and execute the CISA notification — exercising CPG 2.X, 4.A, and 2.S.

CPG 2.X CPG 2.S MITRE T0883
Water · Wastewater
CPG 5.A · 4.A
Remote Access Tampering at a Water Plant

An attacker abuses exposed remote access to alter chemical dosing setpoints at a small water utility. A resource-poor team must follow its incident plan and report — exercising CPG 5.A preparedness and CPG 4.A reporting.

CPG 5.A CPG 4.A MITRE T0836
Healthcare · Public Health
CPG 4.B · 1.A
Medical Device Outage During an Attack

A hospital's networked clinical and building systems are disrupted, threatening patient safety. The team tests its IR plan, locates affected assets, and coordinates response — exercising CPG 4.B and CPG 1.A inventory.

CPG 4.B CPG 1.A HC3
Transportation Systems
CPG 2.S · 3.A
Signaling System Compromise at a Transit Operator

Adversary TTPs are detected against a transit operator's signaling and control systems. The exercise tests detection, segmentation, and the response plan — exercising CPG 3.A threat detection and CPG 2.S segmentation.

CPG 3.A CPG 2.S MITRE T0855
Communications · IT
CPG 4.A · 2.E
Privileged Credential Abuse at a Comms Provider

Stolen privileged credentials are used to move through a communications provider's management plane. The team tests its plan and reporting workflow — exercising CPG 2.E account separation and CPG 4.A reporting.

CPG 2.E CPG 4.A MITRE T0859
Critical Manufacturing · OT
CPG 2.X · 5.A
Production-Line PLC Manipulation

PLCs on a manufacturer's production line are manipulated, threatening safety and output. A full response-plan test drives containment and recovery decisions — exercising CPG 2.X testing and CPG 5.A preparedness.

CPG 2.X CPG 5.A IEC 62443

Plus 300+ additional ICS/OT and enterprise scenarios spanning all 16 critical infrastructure sectors the CPGs cover. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation for CISA CPG Progress

Every CyberICS exercise generates four categories of evidence demonstrating concrete progress against the Cross-Sector CPGs — for boards, regulators, insurers, and your SRMA.

📋
After Action Report (AAR)

Structured AI-generated report documenting the response actions taken, gaps found, and the CPG goal IDs exercised in the session.

CPG 2.X / 4.B
Response-Plan Test Record

Timestamped proof that the incident response plan was exercised at least annually — the artifact that demonstrates CPG 2.X directly.

CPG 2.X
📧
Incident-Reporting Drill Record

Timestamped log of a CISA notification drill — who decided what, and how fast — demonstrating CPG 4.A reporting readiness.

CPG 4.A
📊
CPG Coverage Map

A goal-by-goal coverage map showing which CPGs have been exercised, gaps remaining, and the remediation timeline across all functions.

All CPG Functions
CPG 2.0 Goal Reference

38 Cross-Sector Cybersecurity Performance Goals

CISA CPG 1.0.1 defines 38 foundational goals across five NIST CSF functions. CPG 2.0 (Dec 2024) reorganizes these under six functions — adding GOVERN — and consolidates IT/OT goals into universal standards. CyberICS scenarios map directly to specific CPG goal IDs.

IDENTIFY Goals 1.A – 1.H (1.I removed in CPG 2.0)
1.A — Asset InventoryMaintain an up-to-date inventory of all hardware and software assets across IT and OT environments.
1.B — Network Topology MapsEstablish and maintain accurate network diagrams including IT/OT interconnections and remote access paths.
1.C — Basic Cybersecurity PoliciesDevelop, document, and implement foundational cybersecurity policies and acceptable use procedures.
1.D — Account ManagementEstablish processes to manage and track user accounts across all systems and lifecycle stages.
1.E — Privileged Account ManagementIdentify and control all privileged accounts; enforce least-privilege access across OT and IT systems.
1.F — Vulnerability Management ProgramEstablish a program to discover, prioritize, and track remediation of known vulnerabilities.
1.G — Unsanctioned IT/OT DiscoveryDiscover and remediate unsanctioned assets and shadow IT/OT infrastructure on the network.
1.H — Vulnerability Disclosure PolicyEstablish a coordinated vulnerability disclosure program to receive and act on security reports.
PROTECT Goals 2.A – 2.X (24 goals)
2.A — Software Version ManagementMaintain up-to-date software across IT and OT environments; track EOL systems.
2.B — Timely Vulnerability RemediationRemediate known exploited vulnerabilities (CISA KEV) within defined timeframes.
2.C — Unique CredentialsEnforce unique credentials for every user account; prohibit shared or default passwords.
2.D — Revoke Departing CredentialsRemove all access for terminated or departing staff within 24 hours of separation.
2.E — Separate User & Privileged AccountsSegregate standard user accounts from administrative/privileged accounts for all staff.
2.F — Access Management ProgramManage access rights systematically; enforce least-privilege and need-to-know principles.
2.G — Revoke Unnecessary AccessImmediately revoke access when no longer required; perform periodic access reviews.
2.H — Multifactor Authentication (MFA) ⭐Implement MFA for all remote access, VPN, and administrative account access.
2.I — Preventative Email MeasuresDisable malicious email macros; block dangerous file types; configure email filtering.
2.J — Encrypt Data at RestEncrypt sensitive data on devices, servers, and removable media at rest.
2.K — Strong Encryption in TransitEncrypt all data in transit using strong protocols (TLS 1.2+); disable weak ciphers.
2.L — Email Security (DMARC/DKIM/SPF)Implement DMARC, DKIM, and SPF email authentication to prevent domain spoofing.
2.M — Device SecuritySecure all devices including OT/ICS endpoints; enforce physical and logical controls.
2.N — Web Browser SecurityConfigure browsers securely; enforce automatic updates; restrict risky browser extensions.
2.O — Anti-Phishing TrainingConduct regular phishing simulation exercises and cybersecurity awareness training for all staff.
2.P — Endpoint ProtectionDeploy and maintain endpoint detection and response (EDR/AV) solutions on all endpoints.
2.Q — Offline / Immutable BackupsMaintain offline or immutable backups of all critical systems and OT configuration data.
2.R — Encrypt BackupsEncrypt all backup data; test restoration regularly to verify backup integrity.
2.S — Network Segmentation (IT/OT) ⭐Implement network segmentation; isolate OT networks from corporate IT; control all IT/OT interconnections.
2.T — Log CollectionEnable and collect security event logs from all critical IT and OT systems.
2.U — Centralized Log ManagementAggregate logs centrally and retain for a minimum of 6 months to support incident investigation.
2.V — Incident Response PlansDocument comprehensive incident response procedures covering OT and IT environments.
2.W — Response Plan ReviewReview and update incident response plans at least annually and after every significant incident.
2.X — Test the Response Plan ⭐Conduct tabletop exercises or functional simulations to test response plans at least annually. → Direct CyberICS deliverable.
DETECT
3.A — Detect & Respond to Threats Removed in CPG 2.0Detect and respond to relevant threats and TTPs. Merged into Protect and Respond goals in CPG 2.0.
RESPOND
4.A — Incident Planning & PreparednessMaintain documented incident response procedures; assign roles and responsibilities.
4.B — Notify Relevant PartiesReport incidents to CISA, FBI, and sector regulators within required timeframes.
4.C — Mitigate Cyber IncidentsContain incidents and restore operations swiftly; limit propagation and impact.
RECOVER
5.A — Recovery PlanningEstablish and document recovery plans for all critical systems and OT processes; test recovery procedures.
⭐ = Priority goals where CyberICS tabletop exercises directly generate compliance evidence.  |  CPG 2.0 adds a new GOVERN function (leadership accountability, MSP risk management) and reorganizes all 38 goals under 6 NIST CSF 2.0 functions. Goal IDs above follow the CPG 1.0.1 numbering scheme in common industry use.

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Test Your CISA CPG Response Plan?

Start with a free 14-day trial — no credit card required. Or speak with our team about a standing CPG exercise program that delivers CPG 2.X response-plan testing and evidence mapped to your sector's priority goals.

Also explore: CISA CTEP Toolkit  ·  NIST CSF 2.0 Toolkit  ·  NIST SP 800-82 Toolkit