CISA's Cross-Sector Cybersecurity Performance Goals (CPG 2.0) are a voluntary, prioritized baseline of cybersecurity practices for critical infrastructure owners and operators, organized around the NIST CSF functions — Identify, Protect, Detect, Respond, and Recover. The 38 goals include CPG 2.X — Test the Response Plan, which explicitly calls for exercising the incident response plan at least annually. CyberICS delivers exactly that: 300+ ready-to-run OT/ICS tabletop scenarios, AI-generated After Action Reports, and audit-ready evidence packages mapped to specific CPG goal IDs across all 16 critical infrastructure sectors.
CISA designed the Cross-Sector CPGs as a common, prioritized starting point for every critical infrastructure owner and operator — and especially for the "target-rich, resource-poor" organizations that face nation-state and ransomware threats without enterprise-scale security budgets. The goals are deliberately voluntary, outcome-focused, and applicable across all 16 sectors.
The CPGs apply to every owner and operator of the systems and assets that underpin national critical functions. They provide a sector-agnostic baseline that organizations can adopt regardless of size, mapped to the NIST CSF functions so they integrate with existing programs.
CISA built the CPGs to help under-resourced critical infrastructure — small utilities, rural hospitals, municipal water systems, and lean manufacturers — adopt the highest-impact practices first. Exercises are one of the most cost-effective ways to validate readiness without large tooling investments.
CPG 2.X calls for testing the incident response plan at least annually through tabletop exercises or functional simulations. A standing CyberICS exercise program turns that recurring goal into a repeatable, evidence-generating cycle — in your team's working language — while reinforcing the other Identify, Protect, Detect, Respond, and Recover goals.
The CPGs name specific cyber practices across the NIST CSF functions. Tabletop exercises directly satisfy the response-plan testing, incident-reporting, and incident-planning goals, and generate evidence that supports several more.
| CPG Goal | Goal Name | Goal Summary | CyberICS Capability | Coverage |
|---|---|---|---|---|
| CPG 2.X | Test the Response Plan | Exercise the incident response plan at least annually through tabletop exercises or functional simulations | The core CyberICS deliverable — guided and live tabletop exercises that test the response plan end-to-end, with the AI AAR documenting what was exercised and the gaps surfaced | Core |
| CPG 4.A | Incident Reporting | Report cyber incidents to CISA and other relevant parties within required timeframes | A reporting-drill scenario rehearses the who / what / timeline of the CISA notification under realistic time pressure, captured in the session transcript | Core |
| CPG 4.B | Incident Response & IR Plans | Maintain and execute documented incident response plans covering both IT and OT environments | Scenarios drive the IR plan through containment, mitigation, and restoration decisions; the AAR maps each action back to the plan | Core |
| CPG 5.A | Incident Planning & Preparedness | Establish and document incident response and recovery plans for critical systems and OT processes | Running the exercise validates the plan and exposes gaps; the AAR plus gap tracking feed straight back into improving preparedness | Core |
| CPG 1.A | Asset Inventory | Maintain an up-to-date inventory of hardware and software assets across IT and OT environments | Scenario injects test whether the team can locate and reason about affected assets; gaps in the inventory surface during the exercise and are logged | Supporting |
| CPG 2.S | Network Segmentation (IT/OT) | Segment networks and isolate OT from corporate IT; control all IT/OT interconnections | Lateral-movement and IT-to-OT pivot scenarios pressure-test segmentation decisions and reveal whether boundaries hold under attack | Partial |
| CPG 2.E | Separate User & Privileged Accounts | Segregate standard user accounts from administrative and privileged accounts for all staff | Credential-abuse and privilege-escalation injects exercise the team's understanding of account separation and how it limits blast radius | Supporting |
| CPG 3.A | Detecting Relevant Threats & TTPs | Detect and respond to relevant threats and adversary tactics, techniques, and procedures (TTPs) | Scenarios are built around real MITRE ATT&CK for ICS techniques, exercising whether the team recognizes and acts on adversary TTPs | Partial |
| CPG 1.B | Organizational Cybersecurity Leadership | Designate accountable cybersecurity leadership and embed cyber risk in organizational governance | Leadership-level exercises put executives and decision-makers in the loop, producing the governance and accountability evidence the goal expects | Supporting |
Three core capabilities work together to deliver, document, and evidence the response-plan testing, incident-reporting, and incident-planning CPGs.
Live Session mode runs real-time, multi-participant tabletop exercises that test the incident response plan. Every step, response, and host action is timestamped — producing the auditable record that demonstrates CPG 2.X response-plan testing actually happened.
Immediately after each exercise, CyberICS generates a structured AAR documenting the response actions taken, gaps identified, and the specific CPG goal IDs exercised — the artifact a CISO or operations lead files as proof the drill ran and what it found.
The Compliance Dashboard assembles a CPG evidence package — response-plan test records, incident-reporting drills, exercise completion, and a goal-by-goal coverage map — so leadership can show concrete progress against the Cross-Sector CPGs to a board, regulator, or SRMA.
Six high-fidelity scenarios spanning the critical infrastructure sectors the CPGs target — each one exercises the response plan and generates evidence mapped to specific CPG goal IDs, with AI facilitator briefing included.
Ransomware spreads from corporate IT toward the SCADA environment of an electric utility. The team must test the response plan, decide on isolation, and execute the CISA notification — exercising CPG 2.X, 4.A, and 2.S.
An attacker abuses exposed remote access to alter chemical dosing setpoints at a small water utility. A resource-poor team must follow its incident plan and report — exercising CPG 5.A preparedness and CPG 4.A reporting.
A hospital's networked clinical and building systems are disrupted, threatening patient safety. The team tests its IR plan, locates affected assets, and coordinates response — exercising CPG 4.B and CPG 1.A inventory.
Adversary TTPs are detected against a transit operator's signaling and control systems. The exercise tests detection, segmentation, and the response plan — exercising CPG 3.A threat detection and CPG 2.S segmentation.
Stolen privileged credentials are used to move through a communications provider's management plane. The team tests its plan and reporting workflow — exercising CPG 2.E account separation and CPG 4.A reporting.
PLCs on a manufacturer's production line are manipulated, threatening safety and output. A full response-plan test drives containment and recovery decisions — exercising CPG 2.X testing and CPG 5.A preparedness.
Plus 300+ additional ICS/OT and enterprise scenarios spanning all 16 critical infrastructure sectors the CPGs cover. Browse the full library →
Every CyberICS exercise generates four categories of evidence demonstrating concrete progress against the Cross-Sector CPGs — for boards, regulators, insurers, and your SRMA.
Structured AI-generated report documenting the response actions taken, gaps found, and the CPG goal IDs exercised in the session.
Timestamped proof that the incident response plan was exercised at least annually — the artifact that demonstrates CPG 2.X directly.
Timestamped log of a CISA notification drill — who decided what, and how fast — demonstrating CPG 4.A reporting readiness.
A goal-by-goal coverage map showing which CPGs have been exercised, gaps remaining, and the remediation timeline across all functions.
CISA CPG 1.0.1 defines 38 foundational goals across five NIST CSF functions. CPG 2.0 (Dec 2024) reorganizes these under six functions — adding GOVERN — and consolidates IT/OT goals into universal standards. CyberICS scenarios map directly to specific CPG goal IDs.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with a free 14-day trial — no credit card required. Or speak with our team about a standing CPG exercise program that delivers CPG 2.X response-plan testing and evidence mapped to your sector's priority goals.
Also explore: CISA CTEP Toolkit · NIST CSF 2.0 Toolkit · NIST SP 800-82 Toolkit