Regulatory Toolkit

CISA Cybersecurity
Performance Goals (CPG) Toolkit

CISA's Cybersecurity Performance Goals (CPGs) define a baseline set of cybersecurity practices for all critical infrastructure sectors — cross-sector goals that any organization can implement, measure, and demonstrate. Critically, CPG 4.D explicitly requires tabletop exercises. Skyhigh maps to all 6 CPG categories and directly fulfills CPG 4.D's exercise requirement.

Start Free Today → View Pricing Contact Sales
⚠️ CISA CPGs are voluntary baseline guidance for critical infrastructure. They are not mandatory regulations. However, alignment with CPGs may be required or strongly encouraged by sector-specific risk management agencies (SRMAs). This toolkit is for exercise program design only.
6
Categories
CPG Goal Categories
CPG 4.D
Tabletop Exercise
Requirement
36
Goals
Cross-Sector Baseline
All 16
Sectors
Critical Infrastructure
Understanding CISA Cybersecurity Performance Goals
CISA's CPGs are the most accessible entry point for critical infrastructure cybersecurity programs — voluntary, cross-sector, and explicitly calling out tabletop exercises in CPG 4.D.
🎯
CPG 4.D — Tabletop Exercises Are Explicitly Required
CPG Category 4 (Governance & Training) contains CPG 4.D: Conduct tabletop exercises. This is not an implicit recommendation — CISA's CPGs explicitly name tabletop exercises as a baseline cybersecurity performance goal for all critical infrastructure. Skyhigh exercises directly fulfill CPG 4.D and generate the documented evidence needed to demonstrate compliance with this goal to your sector risk management agency (SRMA).
📊
Six CPG Categories
CISA's CPGs are organized into 6 categories: (1) Account Security — strong MFA, privileged access; (2) Device Security — EDR, patching, default credential changes; (3) Data Security — encryption, backups; (4) Governance & Training — IR plans, exercises (CPG 4.D), awareness; (5) Vulnerability Management — CVE prioritization, scanning; (6) Supply Chain / Third-Party — vendor risk assessment. Exercises surface gaps across all 6 categories.
🌐
Cross-Sector Baseline — All 16 Critical Infrastructure Sectors
Unlike sector-specific frameworks (NERC CIP for energy, TSA directives for transportation, HIPAA for healthcare), CISA CPGs apply equally to all 16 critical infrastructure sectors — and are voluntary. This makes them an ideal starting point for organizations new to structured cybersecurity programs, or a unifying baseline for organizations subject to multiple sector-specific frameworks. CPG compliance demonstrates good-faith cybersecurity effort to CISA and SRMAs.
CISA CPG Category Mapping
How Skyhigh tabletop exercises map across all 6 CPG categories and 36 baseline goals — with evidence generated for SRMA reporting and CISA program documentation.
CPG Category Key Goals Skyhigh Coverage Evidence Generated
1 — Account Security 1.A MFA, 1.B Privileged accounts, 1.C Phishing-resistant MFA, 1.E Unique credentials Direct Credential theft scenarios test MFA effectiveness; account compromise exercises
2 — Device Security 2.A Asset inventory, 2.B Default passwords, 2.C EDR, 2.D Secure RDP, 2.E Patching Direct Vulnerability exploitation scenarios; default credential attacks; EDR gap analysis
3 — Data Security 3.A Mitigate known vulns, 3.B File backups, 3.C Encrypted DNS Supporting Ransomware recovery scenarios test backup viability; data protection gap analysis
4.A — IR Plan Maintain an up-to-date incident response plan Core Exercise validates IR plan; gaps surface missing procedures; AAR updates plan
4.B — Awareness Training Conduct annual security awareness training Core Each exercise = annual awareness training documentation evidence (CPG 4.B)
4.D — Tabletop Exercises Conduct tabletop exercises (explicit CPG requirement) Core Skyhigh exercise = direct CPG 4.D fulfillment with dated exercise record
5 — Vulnerability Management 5.A Asset inventory review, 5.B Third-party validation, 5.C Vulnerability disclosure Direct Attack path exercises surface unpatched systems; vulnerability management gaps
6 — Supply Chain / Third-Party 6.A Third-party vendor risk program, 6.B Critical software validation Direct Vendor compromise and supply chain attack exercises test third-party risk processes
Platform Capabilities for CISA CPG
Skyhigh is purpose-built to fulfill CPG 4.D and generate evidence across all 6 CPG categories — from SRMA-ready exercise records to a full 36-goal scorecard.
🎯
CPG 4.D Direct Fulfillment
CISA's CPG 4.D states: "Conduct tabletop exercises." Skyhigh exercises directly fulfill this requirement and generate the dated evidence record needed to demonstrate fulfillment to CISA, SRMA reviewers, and board-level stakeholders. Export exercise completion certificates for CPG 4.D documentation packages.
CPG 4.D Direct Fulfillment CISA-Ready Exercise Record
📊
Multi-CPG Gap Analysis
After each exercise, Skyhigh's gap analysis maps findings to CPG categories — identifying which of the 36 goals have gaps requiring remediation. Prioritize by CPG impact and track remediation to closure. Over time, build a CPG scorecard showing baseline fulfillment progress across all 6 categories for CISA SRMA reporting.
CPG Scorecard Gap Analysis 36 Goals SRMA Reporting
🌐
Cross-Sector Scenario Library
CISA CPGs apply to all 16 critical infrastructure sectors — and so does Skyhigh. With 65+ scenarios spanning Energy, Healthcare, Transportation, Water, Manufacturing, Government, and Financial sectors, Skyhigh exercises reflect CISA's cross-sector threat intelligence, including CISA's Known Exploited Vulnerabilities (KEV) catalog and joint advisories from NSA/CISA/FBI.
All 16 Sectors 65+ Scenarios KEV-Informed Joint Advisories
CISA CPG Exercise Scenarios
Scenarios designed to surface CPG gaps across all 6 categories — from CPG 4.D direct fulfillment exercises to comprehensive baseline measurement tabletops spanning all 16 critical infrastructure sectors.
CROSS-SECTOR · CPG 4.D
Multi-Sector Ransomware — CISA CPG Response Exercise
Ransomware campaign simultaneously targets multiple critical infrastructure sectors (energy, water, healthcare). Tests CPG 4.A IR plan activation, CPG 4.D exercise response, CISA reporting procedures, cross-sector coordination, and whether backup restoration (CPG 3.B) meets recovery objectives.
CPG 4.A CPG 4.D CPG 3.B
NATION-STATE · CPG 5
Nation-State Critical Infrastructure Campaign
CISA/FBI joint advisory warns of nation-state adversary targeting multiple critical infrastructure sectors with CVEs from the Known Exploited Vulnerabilities (KEV) catalog. Tests vulnerability management processes (CPG 5.A), emergency patching procedures, sector coordination, and CISA reporting.
CPG 5.A KEV CISA Report
PHISHING · CPG 1
Mass Phishing Campaign — Credential Harvesting at Scale
Sophisticated phishing campaign targeting critical infrastructure employees harvests credentials for multiple organizations. Tests CPG 1.A (MFA effectiveness), CPG 1.C (phishing-resistant MFA gaps), CPG 1.E (unique credential usage), and account compromise detection and response procedures.
CPG 1.A CPG 1.C MFA
SUPPLY CHAIN · CPG 6
Software Supply Chain Compromise — Trusted Tool Trojanized
A widely-used IT management tool used across multiple critical infrastructure organizations is compromised at the vendor (SolarWinds-style). Tests CPG 6.A (vendor risk program), CPG 6.B (critical software validation), supply chain detection, and coordinated multi-organization response.
CPG 6.A CPG 6.B Supply Chain
MULTI-SECTOR · CPG 4.D
Healthcare + Water Utility Simultaneous Attack — CPG Stress Test
Simultaneous targeted attacks against a regional hospital and a water utility force cross-sector coordination between healthcare and water sector operators. Tests cross-sector CPG baseline capabilities, CISA Emergency Communications, mutual aid agreements, and CPG 4.D coordinated exercise response.
CPG 4.D Cross-Sector CISA Coord
ASSESSMENT · CPG BASELINE
CISA CPG Gap Assessment Tabletop — Baseline Measurement Exercise
Structured tabletop exercise designed specifically to measure current CPG baseline fulfillment — teams assess each of the 36 CPGs against current practices, document gaps with owner and target date, and produce a CPG scorecard as the exercise deliverable. Ideal for organizations starting their CPG journey.
All 6 Categories 36 Goals Scorecard Baseline
Audit Evidence Generated
Every Skyhigh exercise automatically produces structured CPG documentation artifacts for CISA SRMA reporting, board presentations, and internal program tracking.
🎯
CPG 4.D Exercise Record
Dated tabletop exercise completion record — direct CISA CPG 4.D fulfillment evidence
📊
CPG Scorecard
36-goal fulfillment assessment across all 6 CPG categories — SRMA reporting evidence
🎓
CPG 4.B Training Record
Annual security awareness training evidence — CPG 4.B fulfillment documentation
📋
IR Plan Validation
CPG 4.A incident response plan exercise record with gap findings and update log

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your CISA CPG Exercise Program

CPG 4.D explicitly requires tabletop exercises. Launch your first CPG-mapped exercise today — free to start.

Start Free Today → View Pricing Contact Sales